The Acting Director of the FTC’s Bureau of Consumer Protection, Thomas B. Pahl, recently commenced a ‘Stick with Security’ series of blog posts that analyze the data security principles championed by the FTC in its Start with Security guidance. The posts are intended to impart lessons the FTC has learned via investigations and enforcement actions, and to highlight good/bad practices implemented by businesses, since the FTC’s issuance of its Start with Security guidance in June 2015.
In its first three posts (available here, here, and here), the FTC emphasized a number of straightforward best practices that can help businesses mitigate potential penalties in the event of a data security incident, including:
- Companies should not collect any excess personal or sensitive information beyond that necessary for the company’s legitimate business purposes, and should not retain such information longer than absolutely necessary;
- Default settings on devices, programs, software, and other items that feature privacy controls should be pre-programmed to higher security settings (thereby establishing enhanced baseline security levels and putting the onus on the user to reduce the security protection);
- Restrict access to sensitive electronic and physical data through the use of access controls (such as locked file cabinets for physical data, and firewalls or restricted privileges for electronic data), and tailor administrative rights and access to maintain system security;
- Users and administrators should securely store and protect system passwords, use complex and unique passwords, and guard against system attacks by limiting permissible log-in attempts and/or utilizing multi-factor authentication.
Although the FTC’s guidance in these posts is not new, the Stick with Security series provides simple reminders of basic steps that companies large and small can take to improve their data security and strengthen their standing with the FTC in the event of an investigation. Companies would be well advised to continue monitoring the posts, which are to be released weekly on Fridays until all 10 principles set forth in the Start with Security guidance are covered.