On June 30th, the Federal Trade Commission (FTC) published a guide titled Start With Security: A Guide for Business, providing 10 lessons learned from the over 50 enforcement actions brought by the FTC against companies that failed to adequately protect consumer data. The lessons and advice offered by the FTC guide are certainly common-sense, but present a good refresher for businesses looking to adopt “best practices” for securing customer data and protect against system breaches.

  1. Start with security
  2. Control access to data sensibly
  3. Require secure passwords and authentication
  4. Store sensitive personal information securely and protect it during transmission
  5. Segment your network and monitor who’s trying to get in and out
  6. Secure remote access to your network
  7. Apply sound security practices when developing new products
  8. Make sure your service providers implement reasonable security measures
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise
  10. Secure paper, physical media and devices

For each of the above 10 lessons, the FTC guide provides specific advice and examples of cases where business failed to adequately protect data, resulting in enforcement actions. From a business policy perspective, the key takeaway is for businesses to be aware of the risks associated with collecting, using and accessing customer data. Collect only the data about your customers you need, ensure that access to sensitive data is strictly limited to necessary individuals within your business and implement systems covering all phases of data’s life cycle.