The Federal Trade Commission (FTC) has released a guide for businesses with practical tips and advice to help organizations better secure their data. The guide, Start With Security, draws on more than 50 data security enforcement actions by the FTC against various businesses. The FTC notes that, “the specifics of the cases apply just to those businesses, but each action offers compliance nuggets for other companies to consider. Start With Security synthesizes the actions into 10 common-sense lessons that apply to businesses of all sizes and in all sectors.”
This latest FTC guidance builds on its 2007 brochure, Protecting Personal Information: A Guide for Business, which describes fundamental data security principles. In Start With Security, the FTC encourages organizations to consider data security at the earliest possible stage and to make “reasonable choices based on the nature of their business and the sensitivity of the information involved.”
Companies are urged to learn these 10 lessons:
- Start with security
- Control access to data sensibly
- Require secure passwords and authentication
- Store sensitive personal information securely and protect it during transmission
- Segment your network and monitor who’s trying to get in and out
- Secure remote access to your network
- Apply sound security practices when developing new products
- Make sure your service providers implement reasonable security measures
- Put procedures in place to keep your security current and address vulnerabilities that may arise
- Secure paper, physical media and devices
Data security and privacy breaches can impact organizations across all sectors of the economy, potentially compromising personal, employee, health, proprietary and financial information. These incidents may be attributable to something as simple as employee error, or more nefarious motives such as efforts to steal intellectual property or destroy a company’s reputation.
The FTC and other federal and state regulators are actively enforcing compliance in this area. Thus, regardless of the reason for a potential compromise, every organization should take preventive measures and be prepared to respond to and mitigate any harm caused by an incident. Good first steps toward better data security include examining data collection, retention, and sharing policies and practices; providing ongoing training to employees; and developing an effective incident response plan.