FTC Issues Data Security Guidance and Announces Data Security Conferences
Addressing the expectations revealed in the guidance may not eliminate all data security risk, but the guidance is a useful resource for assessing data security programs. For those looking to explore the FTC’s data security materials on their own, the FTC announced a new “at-a-glance” site where key FTC materials are available.
The FTC identified ten lessons from its data security settlements. We summarize the FTC’s expectations and provide brief descriptions of some of the settlements from which they derive:
- Start with security. Companies should make conscious choices about the kind of data they collect, how long they keep it, and how they allow access to it.
- RockYou – allegedly collected users’ email addresses and passwords unnecessarily and thereby increased the risk of unauthorized access to email accounts;
- Accretive – allegedly used consumers’ personal information in employee training sessions, and did not remove the information from employees’ computers after the sessions were over; and
- foru International – allegedly allowed service providers to access sensitive consumer data during the development of applications where such access was not necessary.
- Control access to data sensibly. Take reasonable steps to secure data, including by limiting access to the company’s network, restricting access to sensitive data, and limiting administrative access.
- Goal Financial – allegedly failed to implement reasonable restrictions on employee access to customers’ personal information, which resulted in personal information being transferred to third parties without authorization; and
- Twitter – allegedly granted administrative access to employees whose jobs did not require such access, thereby increasing the risk of hackers gaining administrative access via compromised employee credentials.
- Require secure passwords and authentication. To safeguard personal information, companies should require employees to use complex and unique passwords, store passwords securely, guard against brute force attacks, and address vulnerabilities in authentication mechanisms.
- Twitter – allegedly did not require employees to use hard-to-guess passwords;
- Guidance Software – allegedly stored user credentials in plain text;
- Twitter – allegedly failed to prohibit employees from storing administrative passwords in plain text in their personal email accounts;
- Lookout Services and Twitter –allegedly failed to suspend or disable user credentials after multiple unsuccessful login attempts; and
- Lookout Services – allegedly failed to adequately assess the vulnerability of its web application to widely-known security flaws.
- Store sensitive personal information securely and protect it during transmission. Companies should encrypt sensitive data with technologies appropriate to the type of data, the context of collection, and the manner in which the data is processed.
- Superior Mortgage Corporation – allegedly failed to encrypt emails containing customers’ sensitive information;
- ValueClick – allegedly stored sensitive customer information in a database using an encryption method having significant vulnerabilities; and
- Fandango and Credit Karma – both companies allegedly failed to validate SSL certificates, thereby undermining the benefits of encrypted SSL communications.
- Segment your network and monitor who’s trying to get in and out. Companies should set up firewalls and intrusion detection mechanisms to prevent and identify unauthorized access to networks.
- DSW – allegedly did not appropriately restrict computers on in-store networks from connecting to computers on corporate networks or networks at other stores; and
- Dave and Buster’s and Cardsystem Solutions – both companies allegedly failed to implement reasonable measures (e.g., intrusion detection systems) to detect unauthorized access to their networks.
- Secure remote access to your network. If companies allow employees, clients, or service providers to access their networks remotely, they must reasonably secure access points.
- Premier Capital Lending – allegedly failed to adequately evaluate a business client’s security practices before granting the client remote access to its network;
- Settlement One – allegedly granted clients access to an online portal without first ensuring that these clients had implemented basic security measures, such as firewalls and updated antivirus software;
- Lifelock – allegedly failed to install antivirus software on computers used to remotely access its network; and
- Dave and Buster’s – allegedly failed to restrict third-party access rights.
- Apply sound security practices when developing new products. Security begins with design. Companies should train their engineers in secure coding, follow platform security guidelines, verify the operations of privacy and security features, and test networks for common vulnerabilities.
- MTS, HTC America, and TRENDnet – allegedly did not train their employees in secure coding practices, which led to security vulnerabilities in software;
- HTC America, Fandango, and Credit Karma – allegedly did not follow security guidelines issued by platforms, such as those contained in the iOS and Android guidelines for developers;
- TRENDnet – allegedly failed to test a feature that purportedly rendered camera feeds private; and
- Guess? – allegedly failed to test its web application for Structured Query Language injection attacks, a commonly known and reasonably foreseeable vulnerability.
- Make sure your service providers implement reasonable security measures. Supply chains present a wide range of information security risks. To mitigate these risks, companies should seek appropriate assurances regarding the security practices and capabilities of vendors.
- GMR Transcription – allegedly failed to require service providers to implement reasonable security measures, such as encrypting sensitive data; and
- Upromise – allegedly failed to verify whether a toolbar developed by a service provider collected information consistent with Upromise’s privacy disclosures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise. Keep ahead of the latest threats by updating and patching third-party software. Heed credible security warnings by moving quickly to fix them.
- TJX Companies – allegedly failed to update their anti-virus software within a reasonable timeframe;
- HTC America – allegedly failed to implement processes for receiving and responding to reports of security vulnerabilities; and
- Fandango – allegedly did not have effective processes in place for receiving and responding to security vulnerabilities.
- Secure paper, physical media, and devices. Many of the lessons that apply to network security also apply to paper records and physical media. Companies should secure sensitive paper files, protect devices that process sensitive information, maintain safety standards when transporting data, and dispose of sensitive data securely.
- Gregory Navone – allegedly left boxes of sensitive consumer information unprotected in his garage;
- LifeLock – allegedly left faxes containing consumers’ personal information in easily accessible areas;
- Accretive and CBR Systems– allegedly failed to prevent personal information from being transported without adequate security measures, making the information vulnerable to theft; and
- Rite Aid, CVS Caremark, and Goal Financial – allegedly disposed of sensitive information without rendering the information unreadable.
The FTC will be addressing its data security recommendations at two conferences this fall. The first of these conferences will occur in San Francisco on September 9th and will focus on security considerations for start-ups and developers. The second event will take place in Austin on November 5th; the focus of the Austin event has yet to be announced. The events will bring together experts to provide information on security by design, common security vulnerabilities, strategies for secure development, and vulnerability response. They will be free, open to the public, and will not require pre-registration.
James Denvil and Brian Kennedy, Associates in our Washington, D.C. office, contributed to this entry.
This entry was originally posted on Hogan Lovells’ Chronicle of Data Protection