Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.
In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.
A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program.
Building on the data security principles drawn from FTC enforcement actions and articulated more than two years ago in Start with Security: A Guide For Business, the inaugural post addresses the question of whether there any recurring themes of data security investigations closed by the FTC. The answer is general, stating that the practices that led the staff to close investigations largely aligned with the practices recommended in Start with Security: “For example, the companies typically had effective procedures in place to train their staff, keep sensitive information secure, address vulnerabilities and respond quickly to new threats.”
These general conclusions from the FTC do not suggest actual practices that businesses can operationalize. It may be more helpful for the FTC to specify precisely what those companies did to avoid prosecution. The blog post does note that the FTC may close an investigation where the risk of harm in the event of a data breach is low because the data was properly encrypted.
It appears that the Stick with Security series will generally affirm the types of “reasonable” security practices that are by now becoming standard best practices. Indeed, the second post refreshes the baseline “start with security” principle from the FTC’s Start with Security guidance. Companies are reminded (with updated examples): to not collect personal information they don’t need, to hold onto information only as long as there is a legitimate business need, to not use personal information when it is not necessary, to regularly train and remind staff on security standards and practices, and, when feasible, to offer consumers more secure choices.
The third post discusses access controls, recommending specific measures such as implementing a “clean desk” policy for employees and limiting administrator-level IT privileges, and the fourth post, covering passwords and authentication processes, provides a few helpful pointers. For example, the FTC recommends that systems be designed to automatically reject passwords that are too obvious or simple and to suspend accounts whenever multiple incorrect logins have been attempted. It also recommends that companies protect sensitive databases with multifactor authentication, such as a password in combination with a verification code sent to a user’s phone. Like most of the preceding posts, however, the most recent installment, which recommends that companies segment and monitor access to their networks, does not go very far beyond approvingly citing general examples of implementing segmentation and network monitoring.
The FTC promises a new post every Friday over the coming months. The next post is expected to discuss how companies should secure remote access to their networks. While it is encouraging that the FTC is attempting to increase its guidance to businesses, it remains to be seen what new insights a business will actually be able to glean from these efforts.
* * *
For more on federal and state regulation of computer security matters, please see the following Socially Aware articles: N.Y.’s New Cybersecurity Regulations: What Financial Services Companies Need to Know; FTC Report Reinforces the Rules for Cross-Device Tracking; and FTC Issues Landmark Report on Internet of Things.