We (and others) often comment on the Federal Trade Commission’s (FTC) increased enforcement activity of data security issues, particularly with the Wyndham and LabMD cases, and the fact that it is enforcing data security without specific regulations. The FTC previously issued guidance in Protecting Personal Information: A Guide for Business and just issued its Start with Security: A Guide for Business on data security.
In the guide, the FTC points out that more than 50 law enforcement actions have been settled by the FTC and that the settlements are lessons for businesses to learn from when it comes to data practices. The 10 lessons the FTC specifically list are:
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
Although the guide is rather basic when it comes to data security, all businesses should review the guidance and compare it to existing security practices. It is also a great document for the C-Suite and board that may not be conversant in IT lingo to review for a basic understanding of the risks associated with data and to pose questions about the company’s data security practices.
One thing is certain: if the FTC issues the guidance, it is a no brainer to follow it and exceed it as it is a roadmap of the FTC’s data requests in an enforcement action.