On June 30, 2015, the Federal Trade Commission (FTC) announced the first two events of its new "Start with Security" business education initiative to provide additional guidance on data security best practices.1 The first event, a September 9, 2015, conference at the University of California Hastings College of Law in San Francisco,2 is targeted at start-ups and developers. The conference will cover topics such as "security by design," common security vulnerabilities, strategies for secure development, and vulnerability response. The second conference will be held at the University of Texas in Austin on November 5, 2015.
As a part of the initiative, the FTC also published "Start with Security: A Guide for Business."3 Based on the FTC's previous data security settlements and closing letters, the guide sets forth ten principle data security recommendations, each with several examples providing more specific guidance. Companies are urged to implement "security by design," factoring data security into all stages of decision-making related to personal data, as well as throughout the development of new products and services. The guide also recommends that companies protect access to personal information, for example, by limiting access to information based on business need and ensuring that secure passwords and authentication controls are in place. Ensuring the security of sensitive information while at rest and in transit is another key recommendation in the FTC's guide, including ensuring that encryption methods are configured appropriately, as was allegedly at issue in the FTC's enforcement actions against Fandango and Credit Karma.4
Network security has been a common theme in many FTC data security cases, including those against Dave & Busters,5 Settlement One,6 and Cardsystem Solutions.7 In this vein, the guide recommends that companies secure, monitor, and limit remote access to their internal networks. The guide also recommends practices that companies should consider taking regarding service providers, such as ensuring that security requirements are included in contracts and monitoring compliance with those requirements. In addition, the guidance makes clear that companies should address vulnerabilities that may arise, such as by patching third-party software or responding to a security warning sent by researchers. Finally, the guide notes that data security also applies to paper, physical media, and devices, which need to be stored securely and protected while in transit or being disposed.
In addition to the guide and event announcements, the FTC also launched a new consolidated website dedicated to data security at www.ftc.gov/datasecurity.
Implications
With its "Start with Security" initiative, the FTC continues its push as the leading data security regulator. Companies should review their current practices to determine whether they have any gaps with the recommendations set forth in the business guide and, if so, should take steps to address those gaps.
1 Press Release, FTC, "FTC Kicks Off "Start with Security" Business Education Initiative," June 30, 2015, available at https://www.ftc.gov/news-events/press-releases/2015/06/ftc-kicks-start-security-business-education-initiative.