{"id":539,"date":"2015-09-18T11:53:01","date_gmt":"2015-09-18T11:53:01","guid":{"rendered":"http:\/\/www.ftcguardian.com\/articles\/?p=539"},"modified":"2017-03-17T05:54:53","modified_gmt":"2017-03-17T05:54:53","slug":"ftc-releases-start-with-security-guide","status":"publish","type":"post","link":"https:\/\/www.ftcguardian.com\/articles\/ftc-releases-start-with-security-guide\/","title":{"rendered":"FTC Releases \u201cStart with Security\u201d Guide"},"content":{"rendered":"<div>\n<h1>FTC Releases \u201cStart with Security\u201d Guide to \u201cPractical Lessons\u201d From Data Security Enforcement Actions<\/h1>\n<p style=\"text-align: left;\">This is super important for those of us in business! The FTC's goal is to have all companies build security &#8220;into the decision making in every department of your business&#8221; and we here at FTC Guardian could not agree more &#8211; even your marketing strategies need to start with proper legal strategies.<\/p>\n<p style=\"text-align: left;\">As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list entitled &#8220;Start with Security: A Guide\u00a0for Business&#8221; \u00a0that is comprised of 10 practical lessons drawn from its previous data security enforcement actions.<\/p>\n<p style=\"text-align: left;\"><a href=\"http:\/\/go.ftcguardian.com\/bw4uoy\" target=\"_blank\"><img decoding=\"async\" src=\"https:\/\/s3.amazonaws.com\/ftcguardian\/images\/728x90-Un-vjy-FTC-GUARDIAN-banner-2.gif\"\/><\/a><\/p>\n<h2 style=\"text-align: center;\"><strong>Here\u2019s a brief overview of the matters <\/strong><\/h2>\n<h2 style=\"text-align: center;\"><strong>included in the FTC\u2019s list:<\/strong><\/h2>\n<div id=\"\">\n<ul>\n<li>\n<p class=\"rtejustify\"><strong>Start with Security<\/strong>:\u00a0 Building on the FTC\u2019s prior emphasis on privacy by design, the first item in the list encourages companies to build security \u201cinto the decisionmaking in every department of your business.\u201d\u00a0 The report notes that companies should refrain from collecting personal information\u00a0they don\u2019t need, retain the information only as long as a legitimate business need exists, and refrain from using personal information\u00a0when it\u2019s not necessary.\u00a0 The FTC pointed to its enforcement action against\u00a0<span style=\"text-decoration: underline;\">BJ\u2019s <\/span><span style=\"text-decoration: underline;\">Wholesale<\/span><span style=\"text-decoration: underline;\"> Club<\/span>\u00a0as an example of an unreasonable risk created by unnecessary retention of personal information, which hackers subsequently gained access to.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Control Access to Data Sensibly<\/strong>:\u00a0 This topic focuses on the need to not only protect data from outsiders, but insiders as well.\u00a0 According to the FTC\u2019s post, \u201c[n]ot everyone on your staff needs unrestricted access to your network and the information stored on it.\u201d\u00a0 Access to sensitive data should be restricted to employees who need to access that data as part of their employment duties, and administrative access (described as access that \u201callows a user to make system-wide changes to your system\u201d) should be restricted employees who require that access as part of their job. For example, the FTC\u2019s enforcement action against\u00a0<span style=\"text-decoration: underline;\">Twitter<\/span>\u00a0faulted the company for increasing the risk of an eventual breach by granting administrative access over its system to most of its employees.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Require Secure Passwords and Authentication<\/strong>:\u00a0 The FTC recommends that companies that store personal information on their networks use strong authentication procedures, including sensible password \u201chygiene,\u201d to protect that information from unauthorized access.\u00a0 Companies should insist on \u201ccomplex and unique\u201d passwords and train their employees \u201cnot to use the same or similar passwords for both business and personal accounts.\u201d\u00a0 Passwords should never be stored in plain text, according to several FTC enforcement actions, and companies should also \u201cconsider other protections \u2014 two-factor authentication, for example \u2014 that can help protect against password compromises.\u201d\u00a0 The report also suggests that companies should also guard against brute force attacks by suspending or disabling accounts after repeated login attempts and protect against methods of bypassing their authentication safeguards by testing for common security vulnerabilities.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Store Sensitive Personal Information Securely and Protect it During Transmission<\/strong>:\u00a0 The FTC urges companies to utilize \u201cstrong cryptography to secure confidential material during storage and transmission,\u201d including TLS\/SSL encryption, data-at-rest encryption, or an iterative cryptographic hash.\u00a0 The FTC also emphasized the need to ensure that the employees responsible for data security understand how the company uses sensitive data and have the experience to react appropriately in different situations.\u00a0 This risk is not limited to transmissions outside of a company\u2019s network \u2014 in its enforcement action against\u00a0<span style=\"text-decoration: underline;\">Superior <\/span><span style=\"text-decoration: underline;\">Mortgage<\/span><span style=\"text-decoration: underline;\"> Corporation<\/span>, the FTC faulted the company for retaining sensitive personal information within the company\u2019s offices in clear text, even though the information was encrypted in transmission outside of the network.\u00a0 Companies should also utilize industry-standard and accepted security methods, the report noted, as the FTC has previously pursued an enforcement action for using a \u201cproprietary\u201d form of encryption with significant vulnerabilities.\u00a0 Finally, companies should ensure that their encryption methods are configured properly.\u00a0 The FTC recently entered into settlements with\u00a0<span style=\"text-decoration: underline;\">Credit <\/span><span style=\"text-decoration: underline;\">Karma<\/span><span style=\"text-decoration: underline;\"> and Fandango<\/span>\u00a0for disabling SSL certificate validation, a critical step that undermined their apps\u2019 use of SSL encryption.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Segment Your Network and Monitor Who\u2019s Trying to Get In and Out<\/strong>:\u00a0 Companies should consider utilizing firewalls and similar tools to segregate different portions of their network, the report notes, with a particular emphasis on housing sensitive data in a separate, secure place on the network.\u00a0 The staff also suggests that companies should utilize effective intrusion detection and monitoring tools to reduce the risk or breadth of a data compromise by detecting early signs of malicious activity.\u00a0 For example, in its enforcement action against\u00a0<span style=\"text-decoration: underline;\">Dave <\/span><span style=\"text-decoration: underline;\">&<\/span><span style=\"text-decoration: underline;\"> Buster\u2019s<\/span>, the FTC alleged that the company did not use an intrusion detection system or monitor its system logs for suspicious activity, thereby expanding the breadth of a payment card breach.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Secure Remote Access to Your Network<\/strong>:\u00a0 Due to the increased use of mobile devices in the workplace, the FTC suggested that companies that grant remote access to their networks must pay special attention to securing these access points.\u00a0 The FTC has pursued enforcement actions against companies that failed to ensure proper endpoint security for computers with access to their networks.\u00a0 For example, in its enforcement cases against\u00a0<span style=\"text-decoration: underline;\">Premier Capital<\/span> <span style=\"text-decoration: underline;\">Lending<\/span>\u00a0and\u00a0<span style=\"text-decoration: underline;\">Settlement<\/span><span style=\"text-decoration: underline;\"> One<\/span>, the FTC faulted each company for failing to properly assess and ensure that its clients had proper security measures in place before granting them access to sensitive information on the company\u2019s networks and systems.\u00a0 The report suggests that companies should impose sensible access limits, including restricting third-party network connections to specified IP addresses or granting temporary, limited access.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Apply Sound Security Practices When Developing New Products<\/strong>:\u00a0 Companies should start, the report suggests, by adequately training their employees responsible for product development in secure coding practices, as several companies have faced FTC enforcement actions for failing to implement \u201creadily available\u201d security mechanisms to protect sensitive information. The FTC has also pursued enforcement actions against companies, such as\u00a0<a href=\"http:\/\/www.natlawreview.com\/article\/snapchat-settles-federal-trade-commission-ftc-charges\" target=\"_blank\"><span style=\"text-decoration: underline;\">Snapchat<\/span><\/a>\u00a0and\u00a0<span style=\"text-decoration: underline;\">TRENDnet<\/span>, for failing to verify that advertised security and privacy features functioned as intended.\u00a0 Finally, the FTC\u2019s staff endorsed the use of testing for common vulnerabilities, such as SQL injection attacks and other vulnerabilities identified through the\u00a0<span style=\"text-decoration: underline;\">Open Web Application <\/span><span style=\"text-decoration: underline;\">Security<\/span><span style=\"text-decoration: underline;\"> Project<\/span>.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Make Sure Your Service Providers Implement Reasonable Security Measures<\/strong>:\u00a0 Prior to hiring a third party, the report states that companies should be \u201ccandid\u201d about their security expectations and take \u201creasonable steps\u201d to ensure that the third party meets the appropriate security requirements.\u00a0 Companies should not only insist that appropriate security standards are part of written contracts with third parties, the report suggests, but also should verify compliance with these provisions.\u00a0 For example, the FTC pursued an enforcement action against\u00a0<span style=\"text-decoration: underline;\">Upromise<\/span>\u00a0after it failed to verify that a third-part developer had complied with the terms of its contract to develop a browser toolbar, leading to the clear-text transmission of sensitive information.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise<\/strong>:\u00a0 Companies should apply updates and patches to third-party software on their networks as they become available to avoid unnecessary vulnerabilities.\u00a0 Although the FTC acknowledges that companies may need to prioritize patches by severity, companies should have a \u201creasonable process in place to update and patch\u201d third-party software.\u00a0 Companies also should have an effective process in place to receive and address security vulnerability reports, the report notes, and should consider developing and publicizing a specific channel, such as a dedicated email address, to receive vulnerability reports and flag them to the appropriate security personnel.<\/p>\n<\/li>\n<li>\n<p class=\"rtejustify\"><strong>Secure Paper, Physical Media, and Devices<\/strong>:\u00a0 The FTC also urges companies to consider physical security for hard drives, laptops, flash drives, disks, and other similar items alongside network security measures.\u00a0 Companies should store sensitive hard-copy files in physically secure locations and shred, burn, or otherwise render documents unreadable, as well as using available technology to wipe devices clean after they are no longer in use.\u00a0 Companies should also ensure that devices that collect sensitive information, such as PIN pads, are secured, and that safety standards are observed while physical media is in transit.\u00a0 For example, the report notes that companies should utilize mailing methods that allow for package tracking, limit instances when employees need to take sensitive data outside of the workplace, and ensure that employees keep sensitive information out of sight and physically secured whenever possible.<\/p>\n<\/li>\n<\/ul>\n<\/div>\n<p>The FTC has also launched a new website that\u00a0<a href=\"https:\/\/www.ftc.gov\/datasecurity\" target=\"_blank\">consolidates its data security advice<\/a>\u00a0from prior cases, public statements, advocacy filings, and other activities.<\/p>\n<p>via <a href=\"http:\/\/www.natlawreview.com\/article\/ftc-releases-start-security-guide-to-practical-lessons-data-security-enforcement-act\" target=\"_blank\">FTC Releases \u201cStart with Security\u201d Guide to \u201cPractical Lessons\u201d From Data Security Enforcement Actions | The National Law Review<\/a><\/p>\n<h2><span style=\"color: #000000;\"><span style=\"font-weight: 400;\">Here\u2019s How To Make Sure You,<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">Your Business & Website Is FTC Compliant<\/span><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">By now it should be clear how important it is for you to be FTC compliant. But how can you do that without spending $7,500-$8,000 or more on Internet Attorneys?<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Smart business owners around the world are doing it with the help of <\/span><span style=\"font-weight: 400;\">FTC Guardian<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">FTC Guardian is a service that is 100% focused on helping to keep you get and stay FTC compliant and fully protected. <a href=\"https:\/\/go.ftcguardian.com\/bw4uoy\" target=\"_blank\">And right now, we are offering a free training to give you the knowledge, information, and guidance that you need to stay out of trouble with the Federal Trade Commission.<\/a><\/p>\n<p>The training is titled: <a href=\"https:\/\/go.ftcguardian.com\/bw4uoy\" target=\"_blank\"><strong>3 Tragic (Legal) Privacy Policy List Building Mistakes That Can Get You In Hot Water With The FTC Today &#8211; Resulting In Your Business Being Shut Down&#8230; And How To Solve It!<\/strong><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Here are some of the things you\u2019ll discover on the training:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Real-Life Examples of People Who Didn\u2019t Think They Were At Risk, But Who Got Nailed By The FTC, And Why It Could Happen To You, Too<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\">Why 2014 Was a Significant Year For Online Businesses, And Why You Should Be Worried!<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\">The 3 Enormous Powers The FTC Has That Can Change Your Life \u2013 And Your Family\u2019s Life \u2013 Forever!<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">How to Avoid FTC Claims When Collecting Leads With Optin Forms<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\">3 Privacy Policy Mistakes Every Digital Marketer Is Making, And Why You're In The FTC\u00a0Crosshairs.<\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">And Much More\u2026<\/span><\/li>\n<\/ul>\n<p><b>Remember: legal protection is a massively important part of your business, and it\u2019s one you cannot afford to ignore any longer.<\/b><\/p>\n<p><a href=\"https:\/\/go.ftcguardian.com\/bw4uoy\" target=\"_blank\">Go here to register for our next FREE training and make your business is FTC compliant today!<\/a><\/p>\n<p><b>Disclaimer: \u00a0This article is provided for informational purposes only. It\u2019s not legal advice, and no attorney-client relationship is created. Neither the author nor FTC Guardian, Inc. is endorsed by the Federal Trade Commission.<\/b><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list entitled \u201cStart with Security: A Guide for Business\u201d  that is comprised of 10 practical lessons drawn from its previous data security enforcement actions.   <\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_analytify_skip_tracking":false,"footnotes":""},"categories":[12],"tags":[28,31,49],"class_list":["post-539","post","type-post","status-publish","format-standard","hentry","category-ftc-compliance","tag-federal-trade-commission","tag-ftc","tag-start-with-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/posts\/539","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/comments?post=539"}],"version-history":[{"count":3,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/posts\/539\/revisions"}],"predecessor-version":[{"id":549,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/posts\/539\/revisions\/549"}],"wp:attachment":[{"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/media?parent=539"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/categories?post=539"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ftcguardian.com\/articles\/wp-json\/wp\/v2\/tags?post=539"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}