{"id":236,"date":"2015-09-16T12:02:16","date_gmt":"2015-09-16T18:02:16","guid":{"rendered":"http:\/\/ericlambert.net\/blog\/?p=236"},"modified":"2015-09-16T12:02:16","modified_gmt":"2015-09-16T18:02:16","slug":"ftc-opens-their-nationwide-tour-to-promote-start-with-security","status":"publish","type":"post","link":"https:\/\/ericlambert.net\/blog\/2015\/09\/16\/ftc-opens-their-nationwide-tour-to-promote-start-with-security\/","title":{"rendered":"FTC opens their nationwide tour to promote Start with Security"},"content":{"rendered":"

It’s not the latest group on tour with a band name and album name that needed a lot more thought. \u00a0Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security.\u00a0 In June, they did just that, releasing a guide\u00a0called Start with Security: A Guide for Business<\/a>.\u00a0 It’s subtitled “Lessons Learned From FTC Cases” for a reason —\u00a0it uses the 50+ FTC enforcement actions on data security to provide ten\u00a0lessons<\/strong>\u00a0companies should learn when\u00a0approaching to security to avoid others’ missteps that led to enforcement actions, and practical guidance<\/strong> on reducing risks. \u00a0The lessons are:<\/p>\n

    \n
  1. Start with security<\/span>. \u00a0The FTC has long advocated the concept of “privacy by design,” meaning\u00a0companies should bake an understanding of and sensitivity to privacy into every part of the business, making it part of the design process for new products and processes. \u00a0The FTC is advocating a similar concept of “security by design<\/span>.” Guidance: \u00a0don’t collect personal information you don’t need<\/strong> (the RockYou<\/em>\u00a0enforcement action); don’t use personal information when it’s not necessary<\/strong> (Accretive<\/em> and foru International<\/em>); don’t\u00a0hold on to information longer than\u00a0you have a legitimate business need for it<\/strong> (BJ’s Wholesale Club<\/em>).<\/li>\n<\/ol>\n
      \n
    1. Control access to data sensibly<\/span>. \u00a0Keep data in your possession secure by controlling access to it – limit access to those with a need to know for a legitimate business purpose (e.g., no shared user accounts, lock up physical files). Guidance: don’t let employees access personal information unless they need to access it as part of their job<\/strong> (Goal Financial<\/em>); don’t give administrative access to anyone other than employees tasked administrative duties<\/strong>\u00a0(Twitter<\/em>).<\/li>\n<\/ol>\n
        \n
      1. Require secure passwords and authentication<\/span>. \u00a0Use strong password\u00a0authentication and sensible password hygiene (e.g., suspend password after x unsuccessful attempts; prohibit common dictionary words; require at least 8 characters; require at least one upper case character, one lower case character, 1 numerical character, and 1 special character; prohibit more than 2 repeating characters; etc.) \u00a0Guidance: r<\/strong>equire complex and unique passwords<\/b> (Twitter<\/em>); store passwords securely<\/b> (Guidance Software<\/em>,\u00a0Reed Elsevier<\/em>,\u00a0Twitter<\/em>); guard against brute force attacks<\/strong>\u00a0(Lookout Services<\/em>,\u00a0Twitter<\/em>, Reed Elsevier<\/em>);\u00a0protect against authentication bypass\u00a0<\/strong>such as predictable resource location (Lookout Services<\/i>).<\/li>\n<\/ol>\n
          \n
        1. Store sensitive personal information securely (“at rest”) and protect it during transmission (“in motion”)<\/span>. Use strong encryption when storing and transmitting data, and ensure the personnel implementing encryption understand how you use sensitive data and can determine the\u00a0right approach on a situation-by-situation basis. \u00a0Guidance:\u00a0Keep sensitive information secure throughout the data life-cycle (receipt, use, storage, transmission, disposal)<\/strong> (Superior Mortgage Corporation<\/em>);\u00a0use industry-tested and accepted methods<\/strong> (ValueClick<\/em>);\u00a0make sure encryption is properly configured<\/strong> (Fandango<\/em>,\u00a0Credit Karma<\/em>).<\/li>\n<\/ol>\n
            \n
          1. Segment your network and monitor who’s trying to get in and out<\/span>. \u00a0Be sure to use firewalls to segment your network to minimize what an attacker can access. \u00a0Use intrusion detection and prevention tools to monitor for malicious activity. \u00a0Guidance:\u00a0segment your network<\/strong> (DSW<\/em>);\u00a0monitor activity on your network<\/strong> (Dave & Buster’s<\/em>,\u00a0Cardsystem Solutions<\/em>).<\/li>\n<\/ol>\n
              \n
            1. Secure remote access to your network<\/span>. Make sure you develop and implement a remote access policy, implement strong security measures for remote access, and put appropriate limits on remote access such as by IP address and revoking remote access promptly when no longer needed. \u00a0(The compromise of a vendor’s system via phishing, leading to remote network access,\u00a0is how the Target breach started.) \u00a0Guidance:\u00a0ensure remote computers have appropriate\u00a0security\u00a0measures in place, e.g., “endpoint security”<\/strong> (Premier Capital Lending<\/em>,\u00a0Settlement One<\/em>,\u00a0LifeLock<\/em>);\u00a0put sensible access limits in place<\/strong> (Dave & Buster’s<\/em>).<\/li>\n<\/ol>\n
                \n
              1. Apply sound security practices when developing new products<\/span>. Use “security by design” to ensure data security is considered at all times during the product development life-cycle. \u00a0Guidance:\u00a0Train engineers in secure coding<\/strong> (MTS, HTC America, TrendNet<\/em>);\u00a0follow platform guidelines for security<\/strong> (HTC America<\/em>,\u00a0Fandango<\/em>,\u00a0Credit Karma<\/em>);\u00a0verify that privacy and security features work<\/strong> (TRENDnet<\/em>,\u00a0Snapchat<\/em>);\u00a0test for common vulnerabilities<\/strong> (Guess?<\/em>).<\/li>\n<\/ol>\n
                  \n
                1. Make sure your service providers implement reasonable security measures<\/span>. Make sure you communicate your security expectations to your\u00a0service providers and vendors, and put their feet to the fire through contractual commitments and auditing\/penetration testing.\u00a0Guidance: put it in writing<\/b> (GMR Transcription<\/em>);\u00a0verify compliance<\/strong>\u00a0(Upromise<\/i>).<\/li>\n<\/ol>\n
                    \n
                  1. Put procedures in place to keep your security current and address vulnerabilities that may arise<\/span>. \u00a0Data security is a constant game of cat-and-mouse with hackers – make sure to keep your guard up. \u00a0Apply updates to your hardware and software as they are issued, and ensure you are spotting vulnerabilities\u00a0in, and promptly patching, your own software. Have a mechanism to allow security warnings and issues to be reported to IT. \u00a0Guidance:\u00a0update and patch third-party software<\/strong> (TJX Companies<\/em>);\u00a0heed credible security warnings and move quickly to fix them<\/strong> (HTC America<\/em>,\u00a0Fandango<\/em>).<\/li>\n<\/ol>\n
                      \n
                    1. Secure paper, physical media, and devices<\/span>. \u00a0Lastly, while the focus these days seems to be on cybersecurity, don’t forget about physical security of papers and physical media. \u00a0Guidance:\u00a0securely store sensitive files\u00a0<\/em><\/strong>(Gregory Navone<\/em>,\u00a0Lifelock<\/em>);\u00a0protect devices that process personal information\u00a0<\/strong>(Dollar Tree<\/em>);\u00a0keep safety standards in place when data is en route<\/strong> (Accretive<\/em>,\u00a0CBR Systems<\/em>);\u00a0dispose of sensitive data securely<\/strong> (Rite Aid,\u00a0<\/strong>CVS Caremark,\u00a0<\/strong>Goal Financial<\/em>).<\/li>\n<\/ol>\n

                      As this guidance is based on what companies did wrong or didn’t do\u00a0that led to FTC enforcement actions, it will be interesting to see how the FTC treats a company that suffers a data breach but\u00a0demonstrates that they used reasonable efforts to comply with the FTC’s guidance. \u00a0I suspect the FTC will\u00a0take a company’s compliance with this guidance into consideration when\u00a0determining penalties\u00a0in an enforcement action. The guidance is very high-level,\u00a0so companies must rely on their IT and Legal teams to determine what steps, processes and protocols need to be implemented in alignment\u00a0with the FTC’s\u00a0guidance.<\/p>\n

                      In addition to publishing the guide, the FTC has embarked on a conference series aimed at\u00a0SMBs (small and medium-sized businesses), start-up companies, and developers to provide information on “security by design,” common security vulnerabilities, secure development strategies, and vulnerability response. \u00a0The first conference took place September 9 in San Francisco, CA; the second will take place November 5<\/span> in Austin, TX<\/span>.<\/p>\n

                      The FTC also announced a new website at which they’ve gathered all of their data security guidance, publications, information and tools as a “one-stop shop”. \u00a0You can find it at http:\/\/www.ftc.gov\/datasecurity<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

                      It’s not the latest group on tour with a band name and album name that needed a lot more thought. \u00a0Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security.\u00a0 In June, they … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9,10,11,1],"tags":[68,69,96,141,163],"class_list":["post-236","post","type-post","status-publish","format-standard","hentry","category-legal","category-otherlegal","category-privacy","category-security","category-uncategorized","tag-data-breach","tag-data-privacy","tag-ftc","tag-privacy","tag-security"],"_links":{"self":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/236","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/comments?post=236"}],"version-history":[{"count":0,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/posts\/236\/revisions"}],"wp:attachment":[{"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/media?parent=236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/categories?post=236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ericlambert.net\/blog\/wp-json\/wp\/v2\/tags?post=236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}