FTC Stick With Security

12/19/2017 Stick with Security: A Business Blog Series | Federal Trade Commission
Stick with Security: A Business Blog Series

TAGS: Privacy and Security Data Security Small Business
The 2017 Stick with Security series on the Bureau of Consumer Protection Business Blog offers additional insights into the ten Start
with Security principles, based on the lessons of recent law enforcement actions, closed investigations, and experiences companies
have shared about starting with security at their business.
For businesses, the key to safeguarding sensitive information is to start with security. The Start with Security brochure and videos released
in 2015 offer practical tips to take from the FTCs 60+ data security cases. From sensible information collection policies and product design
through training, transmission, storage, monitoring, and disposition, Start with Security breaks data security down to ten actionable
principles suited for companies of any size and in any sector.
Looking for a deeper dive? The 2017 Stick with Security series on the Bureau of Consumer Protection Business Blog offers additional
insights into those ten principles based on the lessons of recent law enforcement actions, closed investigations, and experiences
companies have shared about starting with security at their business.
Stick with Security: Insights into FTC investigations
#1 Start with security and stick with it
#2 Stick with Security: Control access to data sensibly
#3 Stick with Security: Require secure passwords and authentication
#4 Stick with Security: Store sensitive personal information securely and protect it
during transmission
#5 Stick with Security: Segment your network and monitor whos trying to get in and out
#6 Stick with Security: Secure remote access to your network
#7 Stick with Security: Apply sound security practices when developing new products
https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-series 1/2
12/19/2017 Stick with Security: A Business Blog Series | Federal Trade Commission
#8 Stick with Security: Make sure your service providers implement reasonable security
measures
#9 Stick with Security: Put procedures in place to keep your security current and
address vulnerabilities that may arise
#10 Stick with Security: Secure paper, physical media, and devices
Stick with Security: FTC resources for your business
October 2017
https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-series 2/2
12/19/2017 Stick with Security: Insights into FTC Investigations | Federal Trade Commission
Stick with Security: Insights into FTC Investigations
Share This Page

Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
Jul 21, 2017
TAGS: Bureau of Consumer Protection Consumer Protection Privacy and Security Data Security
Savvy business people are on the lookout for ways to minimize their companies risk of a data breach. Many businesses consult the FTCs
complaints and orders, each of which includes a detailed description of the conduct alleged to have violated the FTC Act. Perhaps it was a
broken promise about the care the company said it would take when handling consumers sensitive data. In other cases, it might be a
pattern of failures which, when taken together, led to the theft and misuse of customers confidential information.
But that isnt the only way to learn about our approach to data security. FTC press releases, business guidance publications, videos,
speeches, workshops, reports, more than 150 security-centric Business Blog posts, and other communications offer practical advice on
how the FTC Act applies to data security. One particularly practical source of information is Start with Security, our nuts-and-bolts brochure
that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.
Businesses have asked us to keep the guidance coming, which is why were announcing a new initiative, Stick with Security. For the next
few months, well publish a Business Blog post every Friday focusing on each of the 10 Start with Security principles. This time, well use a
series of hypotheticals to take a deeper dive into steps companies can take to safeguard sensitive data in their possession. Well offer
easy-to-apply tips to help your company not just start with security, but stick with security to bolster your defenses.
Where are we getting our Stick with Security examples? First, from the FTCs 60+ complaints and orders, including new settlements and
litigated cases announced since Start with Security was published.
Another important source of our Stick with Security examples are the experiences of businesses from across the country. Weve listened to
the day-to-day challenges you face in protecting sensitive information and have learned from the practical approaches youre taking to
address data security challenges.
In addition, there are lessons to learn from investigations that staff closed with no further action. While we dont disclose the identities of the
targets of those matters unless there has been a public closing letter, we think there is more we can do to explain for other companies the
general principles that informed our thinking when we decided to close those investigations.
A preliminary question we often get from businesses is if there are recurring themes that run through the investigations that are ultimately
closed without law enforcement. One thing weve noticed is that those companies practices often lined up with the common-sense security
fundamentals in Start with Security. For example, the companies typically had effective procedures in place to train their staff, keep
sensitive information secure, address vulnerabilities, and respond quickly to new threats.
Here are some other themes that emerge that offer insights into why investigations into breaches you may have heard about didnt
necessarily result in FTC law enforcement:
https://www.ftc.gov/news-events/blogs/business-blog/2017/07/stick-security-insights-ftc-investigations 1/2
12/19/2017 Stick with Security: Insights into FTC Investigations | Federal Trade Commission
Theres more (or less) to the story than meets the eye.
Just like you, FTC staff reads the news. We see stories about data breaches and potential vulnerabilities all the time. But press
reports are just the beginning of a potential inquiry and sometimes we learn theres more to the story than what was initially reported.
For example, a news report might call attention to a breach, but not focus on the fact that the data was encrypted a factor that
substantially reduces the risk of consumer injury. Or perhaps a purported insider asserts that a company doesnt securely dispose of
old consumer data, but the company provided us with credible evidence that it does. So in some instances, there may have been
smoke, but further investigation revealed no fire.
Proceeding further wouldnt be a good use of resources.
We like to think of the FTC as a small federal agency that in appropriate circumstances can pack a powerful law enforcement
punch. But were always conscious of the need to be good stewards of taxpayer dollars. Sometimes a companys practices may
raise initial concerns, but there are other factors that suggest law enforcement wouldnt be in the public interest. For example, in
some cases, a small business may have collected small amounts of non-sensitive information. In instances like that, if a breach
occurs, were less likely to spend limited resources to investigate.
Were not the right agency.
Given the FTCs broad jurisdiction over most commercial practices, were the primary cop on the beat when it comes to data security.
But were not the only cop on the beat. As a result, we work closely with other agencies with related missions the Department of
Justice, Department of Health and Human Services, Consumer Financial Protection Bureau, Federal Communications Commission,
and National Highway Traffic Safety Administration, to name just a few. Sometimes an alleged incident or practice is a more natural
fit for another law enforcer. If thats the case, we may refer matters to other agencies and offer any assistance the law allows us to
give. Thats just one of the ways we work to avoid duplication, streamline investigations, and ensure a consistent approach to data
security.
The risk to data is theoretical.
Over the past several years, weve seen an uptick in researchers focused on privacy and security issues. Thats a development we
welcome. We look to the latest studies both research presented at PrivacyCon and elsewhere to educate ourselves about
emerging technologies and identify practices for investigation. But not all research leads to law enforcement. Sometimes when
researchers bring practices creating vulnerabilities to our attention, the risk of the vulnerability being exploited to cause consumer
injury is more theoretical than likely. For example, there may be a vulnerability in a mobile device that would take highly sophisticated
tools to exploit, and even then, data could be compromised only if the hacker had the consumers phone in hand. If thats the case,
were more likely to pass on an investigation than proceed.
Next in the Stick with Security series: Initial steps to start with security
https://www.ftc.gov/news-events/blogs/business-blog/2017/07/stick-security-insights-ftc-investigations 2/2
12/19/2017 Start with security and stick with it | Federal Trade Commission
Start with security and stick with it
Share This Page

Jul 28, 2017
When it comes to data security, whats reasonable will depend on the size and nature of your business and the kind of data you deal with.
But certain principles apply across the board: Dont collect sensitive information you dont need. Protect the information you maintain. And
train your staff to carry out your policies.
The FTCs Start with Security initiative was built on those fundamentals. As we mentioned in last weeks introductory post, were calling this
series Stick with Security because each blog post will offer a deeper dive into one of the ten principles discussed in Start with Security.
Although the principles remain unchanged, well use these posts one every Friday for the next several months to explore the lessons of
law enforcement actions announced since Start with Security, to reflect on what businesses can learn from investigations that FTC staff
ultimately closed, and to address experiences businesses have shared with us about how they implement Start with Security in their
workplaces.
Dont collect personal information you dont need.

Its a simple proposition: If you dont ask for sensitive data in the first place, you wont have to take steps to protect it. Of course, there will
be data you must maintain, but the old habit of collecting confidential information just because doesnt hold water in the cyber era.
Theres another advantage of collecting only what you need. A lean subset of confidential data is easier to protect than massive amounts of
sensitive information stockpiled on networks and in file cabinets throughout your company. Businesses that sensibly limit what they collect
have already reduced their security risks and streamlined their compliance procedures.
Example: A local garden center introduces a frequent buyer program. The application asks customers for a substantial
amount of personal information, including Social Security numbers, and the garden center maintains the applications in its
files. Because the store has no business reason to collect customers Social Security numbers, its taking an unnecessary
risk by asking for that information in the first place and exacerbating that risk by keeping customers applications on file.
Example: A bakery sends customers a coupon for a free birthday muffin. Rather than maintaining a record of all customers
dates of birth information that could be combined with other data and used for unauthorized purposes the bakery directs
its cashiers to add only the customers name, email address, and birth month to the database. Although there are legitimate
reasons why other businesses might need to retain a customers date of birth, the exact day, month, and year isnt necessary for the
bakerys birthday promotion.
Example: A tire shop experiences a breach involving information about its 7000 customers. The data includes customers
names, loyalty numbers for the shop, and the date of their last tire rotation. FTC staff decides not to pursue a law
https://www.ftc.gov/news-events/blogs/business-blog/2017/07/start-security-stick-it 1/3
enforcement action because, among other factors, the company had made the sound decision not to collect sensitive information
unnecessarily and had taken reasonable steps to secure its network in light of the limited information it maintained.
Hold onto information only as long as you have a legitimate

business need.
Movie fans will remember the last scene of Raiders of the Lost Ark a football field-sized warehouse stacked to the vaulted ceiling with
everyday items piled alongside priceless treasures. Thats how data thieves view some businesses haphazard method for maintaining their
networks and files. Security-conscious companies make it a practice to review the data in their possession periodically, assess what they
should maintain, and securely dispose of whats no longer needed.
Example: A large company attends recruiting fairs in cities around the country to attract professional talent. After each
candidate completes an initial interview, the human resources personnel who staff the companys booth enter information
about the person on an unencrypted company laptop. Data entered by the HR staff includes the candidates resume,
information regarding security clearance status, and the candidates salary demand. The same unencrypted laptop is used at every
recruiting fair and the data of previous candidates is never removed. The company has likely missed critical opportunities to dispose
of candidates sensitive information it no longer needed, including data from people it decided to not hire.
Dont use personal information when its not necessary.

Of course, there will be times when your business will need to use sensitive data, but dont use it in contexts that create unnecessary risks.
Example: A company sells pet supplies through hundreds of sales representatives across the country. The company wants
to hire a developer to design an app that sales representatives can use to access customer accounts. Those account files
contain names, addresses, and financial information. To explain the scope of the project, the company sends interested app
developers sample account files of actual customers. The more secure choice would have been to create mock files that dont
include sensitive customer information.
Train your staff on your standards and make sure theyre

following through.
What poses the greatest risk to the security of sensitive information in your companys possession? And whats your #1 defense against
unauthorized access? The answer to both questions is your staff. Train new employees including seasonal workers and temps on the
standards you expect them to uphold. Devise sensible monitoring procedures to make sure theyre complying with your rules. Because the
nature of your business may change and threats will evolve, conduct all hands on deck refreshers to explain new policies and reinforce
your companys rules of the road.
Once youve educated your staff about the standards, deputize them to come forward with suggestions about improving your procedures.
Encourage a collaborative process that takes advantage of everyones expertise. A C-suite executive may have great big-picture ideas, but
if youre looking for practical advice about protecting sensitive paperwork that people send to your company, consult the man in the
mailroom, too.
Example: Before new employees are given network access, a company requires them to participate in in-house training. To
encourage their attention, the presentation features brief interactive quizzes. In addition, the company includes security-
related tips in its weekly email updates to all employees and periodically requires them to take refresher courses. By
training its staff on how to handle sensitive data and reinforcing its policies with regular reminders and supplemental security
education, the company has taken steps to encourage a culture of security.
Example: A company provides payroll services for small businesses. Once a month, a member of the IT staff is tasked with
deactivating the network access and passwords of employees who have left the company within the past 30 days. The
more secure practice would be to train the IT staff to block former employees access immediately upon their departure.
When feasible, offer consumers more secure choices.

Think through your data collection practices both in the day-to-day operation of your business and in the products, services, apps, etc., you
offer consumers. Design your products to collect sensitive information only if its necessary for functionality and clearly explain your
practices to consumers up front. Consider how you can use default settings, set-up wizards, or toolbars to make it easier for users to make
more secure choices. For example, if your product offers a range of privacy choices from secure settings for less experienced users to
advanced options for black diamond pros set the out-of-the-box defaults at the more protective levels.
Example: A company manufactures a router that allows consumers to access documents on their home computers while
theyre away from home. By default, the router gives anyone on the internet unauthenticated access to all the files on the
connected storage devices attached to consumers routers, which may include financial data, health records, and other
highly sensitive information. The product manual and set-up wizard dont explain these defaults and dont make it clear to users
whats going on. The company could have reduced the possibility of unauthorized access by configuring its default settings in a
more secure fashion.
Next in the series: Control access to data sensibly.
12/19/2017 Stick with Security: Control access to data sensibly | Federal Trade Commission
Stick with Security: Control access to data sensibly
Share This Page

Aug 4, 2017
Youve conducted an information census to identify and locate the confidential data in your companys possession. Then you determined
what you need to hold on to for business purposes. Whats the next step? According to Start with Security, its time to put limits in place to
control access to data sensibly.
Its not a novel concept. You have a lock on the door to prevent after-hours access to your business and people cant just stroll onto your
factory floor. You also protect your companys proprietary secrets from unauthorized eyes. Thats why you dont post the recipe for your
secret sauce on your website.
Are you exercising the same care with sensitive customer or employee data? Not everyone on your staff needs unrestricted access to all
confidential information you keep. The better practice is to put sensible controls in place to allow access to employees who need it to do
their jobs, while keeping others out. Its also wise to grant administrative access the technical ability to make system-wide changes to
your network or certain changes to desktop computers (for example, installing new software) only to a limited number of trusted
employees. Weve created a series of examples based on FTC settlements, closed investigations, and questions weve heard from
businesses to provide tips on controlling access to data sensibly.
Restrict access to sensitive data.

If employees dont have to use personal information as part of their job, theres no need for them to have access to it. For confidential
paperwork, a reasonable access control could be as simple as a locked cabinet. For data on your network, separate user accounts that
limit who can view sensitive files or databases is an effective option.
Example: Staff members at an employment agency review personnel files that sometimes include Social Security numbers.
The employment agency makes sure that all employees have a locking desk drawer. In addition, the agency has a clean
desk policy that requires workers to secure all sensitive paperwork when they leave at the end of the day a policy the
company monitors with periodic walk-throughs. Because the employment agency takes steps to see that employees keep
documents that contain personal information under lock and key, its less likely that an unauthorized person could access the data.
Example: Employees of a small company share one workstation. The staff member in charge of payroll has password-
protected access to a database of employee information. The staff member in charge of shipping has password-protected
access to a database of customer accounts. By limiting access based on a business need, the company has reduced the
risk of unauthorized use.
Example: A company offers an app that allows users to create profiles that include personal medical information. The system gives
all employees IT staff, sales representatives, HR personnel, and support staff access to customer profiles. By giving access to
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-control-access-data-sensibly 1/2
12/19/2017 Stick with Security: Control access to data sensibly | Federal Trade Commission
sensitive data to staff members who dont need it for the performance of their duties, the company has created a situation
that could put highly confidential information at risk.
Limit administrative access.

System administrators can change your network settings and its essential that someone on your staff has the authority to make necessary
modifications. But just as a bank gives the combination to the central vault only to a few people, companies should limit admin rights
accordingly. The risk is apparent: An untrustworthy administrator or too many employees with admin rights can undo the steps youve
implemented to keep your system secure.
Example: A tech company uses the same login for all employees. The login has administrative rights that enable
designated IT staffers to make system-wide changes. But that same login is used by the companys receptionist, a sales
assistant, and a summer intern. The wiser approach is for the company to require different logins with only those privileges
necessary for that employee to do his or her job.
The lesson for business is to restrict backstage passes to confidential information. Limit access to sensitive data to staff members who
need it for the performance of their duties.
Next in the series: Require secure passwords and authentication.
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-control-access-data-sensibly 2/2
12/19/2017 Stick with Security: Require secure passwords and authentication | Federal Trade Commission
Stick with Security: Require secure passwords and

authentication
Share This Page

Aug 11, 2017
TAGS: Bureau of Consumer Protection Consumer Protection Privacy and Security Data Security Small Business
To make it harder for hackers to bluff their way onto a computer network, careful companies follow the advice of Start with Security and
require strong authentication practices.
Weve considered FTC settlements, closed investigations, and the questions we get from businesses about implementing good
authentication hygiene. Here are some tips on using effective authentication procedures to help safeguard your network.
Insist on long, complex, and unique passwords.

A passwords very reason for being is to be easy for a user to remember, but hard for a fraudster to figure out. Obvious choices like
ABCABC, 121212, or qwerty are the digital equivalent of a hack me sign. Furthermore, experts have determined that passphrases or
longer passwords are generally harder to crack. The smarter strategy is for companies to think through their standards, implement
minimum requirements, and educate users about how to create stronger passwords. Also, when you install software, applications, or
hardware on your network, computers, or devices, change the default password immediately. And if you design products that require
consumers to use a password, configure the initial set-up so they have to change the default password.
Example: A staff member attempts to select payroll as the password for the database that includes employee payroll
information. The company sets up its system to reject an obvious choice like that.
Example: To access the corporate network, a business allows employees to type in their username and a shared
password common to everyone who works there. Employees are also allowed to use that shared password to access
other services on the system, some of which contain sensitive personal information. The more prudent policy would be to
require strong, unique passwords for each employee and to insist that they use different passwords to access different
applications.
Example: At a staff meeting, a companys IT manager offers tips for employees about good password hygiene. She
explains that passphrases or longer passwords are better than short passwords based on standard dictionary words or
well-known information (for example, a childs name, a pet, a birthday, or a favorite sports team). By establishing a more
secure corporate password standard and educating employees about implementing it, the IT manager is taking a step to help her
company reduce the risk of unauthorized access.
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-require-secure-passwords-authentication 1/3
Store passwords securely.

A companys first line of defense against data thieves is a workforce trained to keep passwords secret. But even the strongest password is
ineffective if an employee writes it on a sticky note on her desk or shares it with someone else. Train your staff not to disclose passwords in
response to phone calls or emails, including ones that may appear to be coming from a colleague. Con artists have been known to
impersonate corporate officials by spoofing phone numbers or email addresses.
A compromised password poses a particular risk if it can be used to open the door to even more sensitive information for example, a
database of other user credentials maintained on the network in plain, readable text. Make it difficult for data thieves to turn a lucky
password guess into a catastrophic breach of your companys most sensitive data by implementing policies and procedures to store
credentials securely.
Example: A new employee gets a call from someone who claims to be the companys system administrator. The caller
asks him to verify his network password. Because the new staffer learned about impersonation scams at an in-house
security orientation, he refuses to disclose his password and instead reports the incident to the appropriate person in the
company.
Example: A company keeps user credentials and other passwords in plain text in a word processing file on its network. If
hackers were to gain access to the file, they would be able to use those credentials to open other sensitive files on the
network, including a password-protected database of customers financial information. In the event of a breach, the
company could potentially reduce the impact of the breach by maintaining information about credentials in a more secure form.
Guard against brute force attacks.

In brute force attacks, hackers use automated programs to systematically guess possible passwords. (In a simple example, they try aaaa1,
aaaa2, aaaa3, etc., until they strike pay dirt.) One defense against a brute force attack is a system set up to suspend or disable user
credentials after a certain number of unsuccessful login attempts.
Example: A company sets up its system to lock a user out after a certain number of incorrect login attempts. That policy
accommodates the employee who mistypes her password on the first try, but types it correctly on the second, while
guarding against malicious brute force attacks.
Protect sensitive accounts with more than just a password.

Youve required strong, unique passwords, stored them securely, and logged people out after a number of unsuccessful log-in attempts.
But to protect against unauthorized access to sensitive information, that may not be enough. Consumers and employees often reuse
usernames and passwords across different online accounts, making those credentials extremely valuable to remote attackers. Credentials
are sold on the dark web and used to perpetrate credential stuffing attacks a kind of attack in which hackers automatically, and on a large
scale, input stolen usernames and passwords into popular internet sites to determine if any of them work. Some attackers time their log-in
attempts to get around restrictions on unsuccessful log-ins. To combat credential stuffing attacks and other online assaults, companies
should combine multiple authentication techniques for accounts with access to sensitive data.
Example: A mortgage company requires that customers use strong passwords to access their accounts online. But given
the highly sensitive nature of the information in its possession, it decides to implement an additional layer of security. The
company uses a secret verification code generated by an authentication app on the customers smartphone and requires
the customer to enter that code and use their strong password for access. By implementing this additional protection, the mortgage
company has bolstered security on its site.
Example: An online email service provider requires strong passwords. But it also offers consumers the option of
implementing two-factor authentication through a variety of means. For example, the email provider can generate a code
by text or voice call. It also allows users to insert a security key into a USB port. By offering two-factor authentication, the
email service provider presents users with an additional layer of security.
Example: A debt collection company allows its collectors to work from home. To access the companys network, which
contains spreadsheets of financial information about debtors, the company requires employees to log in to a virtual private
network, protected by a strong password and a key fob that generates random numbers every six seconds. By securing
remote access to its network with multi-factor authentication, the company has improved its authentication procedures.
Protect against authentication bypass.

Hackers are a persistent bunch. If they cant get in through the main entrance, theyll try other virtual doors and windows to see if another
access point is ajar. For example, they may simply skip the login page and go directly to a network or web application that is supposed to
be accessible only after a user has met the networks other authentication procedures. The sensible solution is to guard against
authentication bypass vulnerabilities and allow entry only through an authentication point that lets your company keep a close eye on whos
trying to get in.
Example: A weight loss clinic has a publicly available webpage describing its services. That page also features a login
button that allows existing members to enter their username and password for access to a special Members Only portal.
Once theyve successfully logged on to the Members Only portal, members can navigate to other supposedly restricted
pages, including a personalized Track My Progress page where they can input their weight, body fat, pulse, favorite running
routes, etc. However, if a person knows the URL of a members Track My Progress page, the person can skip the login page and
simply type the URL in the address bar. That allows the person to view the information on the members page without having to
enter a username or password. The more secure option is for the weight loss clinic to ensure that people must enter login
credentials before accessing any portion of the Members Only portal.
The message for businesses: Think through your authentication procedures to help safeguard sensitive information on your network.
Next in the series: Store sensitive personal information securely and protect it during transmission.
12/19/2017 Stick with Security: Store sensitive personal information securely and protect it during transmission | Federal Trade Commission
Stick with Security: Store sensitive personal

information securely and protect it during
transmission
Share This Page

Aug 18, 2017
TAGS: Consumer Protection Privacy and Security Data Security
Youve heard about Newtons laws regarding bodies at rest and bodies in motion. A 21st century corollary is to protect sensitive information
when its at rest on your network and implement effective safeguards when its in motion for example, when a customer transfers
confidential data from their computer to your system. Careful companies take the advice of Start with Security by storing sensitive personal
information securely and protecting it during transmission.
One strategy is surprisingly simple. Hackers cant steal what you dont have, so collect and maintain confidential data only if you need it.
Asking customers for sensitive information on the off chance you might use it someday for something isnt a sound policy. The wiser
practice is to sensibly limit what you collect and then store it securely. Its a cost-conscious approach, too, because its less expensive to
secure a smaller amount of data stored in designated locations, rather than scads of sensitive stuff scattered throughout your company.
One important security tool is encryption. Encryption is the process of transforming information so that only the person (or computer) with
the key can read it. Companies can use encryption technology for sensitive data at rest and in transit to help protect it across websites, on
devices, or in the cloud.
How can your business secure data safely, including when its en route? Here are some suggestions gleaned from FTC settlements, closed
investigations, and questions that businesses have asked.
Keep sensitive information secure throughout its lifecycle.

You cant keep information secure unless you have a clear picture of what you have and where you have it. One preliminary step is
knowing how sensitive data enters your company, moves through it, and exits. Once you have a handle on its journey through your system,
its easier to keep your guard up at every stop along the way.
Example: An online sporting goods retailer has consumers select a username and password. The company stores all
usernames and passwords in clear, readable text. By not storing that information securely, the retailer has increased the
risk of unauthorized access.
Example: A recipe website allows customers to create individual profiles. In designing the registration page, the company
considers the many categories of information it could ask for and narrows them down to the ones justified by a business
reason. For example, the company considers asking for the users date of birth to tailor the site to recipes that might
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-store-sensitive-personal-information-securely 1/2
12/19/2017 Stick with Security: Store sensitive personal information securely and protect it during transmission | Federal Trade Commission
appeal to people of that demographic, but then decides to let consumers pick age ranges instead. By thinking through its need for
the information and collecting a less sensitive kind of data, the company has made a more secure choice that will still allow it to
tailor the user experience.
Example: A real estate company needs to collect sensitive financial data from prospective home buyers. The business
uses appropriate encryption to secure the information when its sent from the customers browser to the companys server.
But when the information arrives, a service provider decrypts it and sends it in clear, readable text to the companys
branch offices. By encrypting the initial transmission of information, the real estate company has taken a prudent step to keep it
safe. But by allowing the service provider to send unencrypted data to the branches, the company hasnt given sufficient
consideration to the importance of maintaining appropriate security throughout the lifecycle of sensitive information.
Example: A company uses state-of-the-art encryption technology, but stores the decryption keys with the data they
encrypt. The company should have stored the decryption keys separate from the data the keys are used to unlock.
Use industry-tested and accepted methods.

Some marketers design their products to have a unique, quirky look. But unique and quirky arent words you want applied to your
companys security. Rather than reinventing the encryption wheel, the wiser approach is to employ industry-tested methods that reflect the
collective wisdom of experts in the field.
Example: Two app developers are preparing similar products for the market. ABC Company uses its own
proprietary method to obfuscate data. In contrast, XYZ Company uses a tried-and-true encryption method
accepted by industry experts. By using a proven form of encryption, XYZ Corporation has made a prudent choice
in developing its product. Whats more, XYZs advertising campaign can truthfully tout its use of industry-standard encryption.
Ensure proper conguration.

A rock climber may have top-of-the-line gear, but if he hasnt properly attached the carabiners and pulleys or if hes using them in a way the
manufacturer warns against, he could be in for a disastrous descent. In a similar vein, even when companies opt for strong encryption, they
need to make sure theyve configured it correctly.
Example: A travel company develops an app that allows consumers to buy tickets to popular tourist attractions. The travel
companys app uses Transport Layer Security (TLS) protocol to establish encrypted connections with consumers. When
data is moving between the app and the companies selling the tickets, the TLS certificate is used to ensure that the app is
connecting to the genuine online service. However, when configuring its app, the travel company disables the process to validate
the TLS certificate. The travel company does this despite warnings from app developer platform providers against disabling the
default validation settings or otherwise failing to validate TLS certificates. The travel company should have followed the default
recommendations of the app development platforms.
The reminder for businesses is that confidential data can enter your system, move through it, and exit it in ways you might not have
considered. Are you putting reasonable protections in place along the way?
Next in the series: Segment your network and monitor whos trying to get in and out.
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/stick-security-store-sensitive-personal-information-securely 2/2
12/19/2017 Stick with Security: Secure remote access to your network | Federal Trade Commission
Stick with Security: Secure remote access to your

network
Share This Page

Sep 1, 2017
Ask a business person where their office is located and the likely answer is everywhere. Theyre working from home, staying in the loop
while traveling, and catching up on email between sales calls. For productivitys sake, many companies give their employees and
perhaps clients or service providers remote access to their networks. Are you taking steps to ensure those outside entryways into your
systems are sensibly defended?
If your business wants to start with security, its important to secure remote access to your network. Here are some examples based on
FTC investigations, law enforcement actions, and questions that businesses have asked us.
Ensure endpoint security.

Your network is only as secure as the least safe device that connects to it and theres no guarantee that an employees home computer, a
clients laptop, or a service providers smartphone meets your standards for security. Before allowing them to access your network
remotely, set security ground rules, communicate them clearly, and verify that the employee, client, or service provider is in compliance.
Furthermore, wise companies take steps to make sure that devices used for remote access have updated software, patches, and other
security features designed to protect against evolving threats.
Example: Before allowing employees to access the company network remotely, a business establishes standard
configurations for firewalls, antivirus protection, and other protective measures on devices used for remote access, and
conducts periodic in-house training. It also provides a token with a dynamic security code that the employee must type in
to access the companys network, and maintains procedures to ensure that employees devices have the mandated firewalls,
antivirus protection, and other protections in place. In addition, the company regularly re-evaluates its requirements in light of
emerging threats and blocks remote access by devices with outdated security. By approaching endpoint security as an ongoing
process, the company has taken steps to reduce the risks associated with remote access.
Example: An executive search firm has files on its network that include confidential information about job candidates.
When a prospective employer retains the search firm, the firm gives the employer remote access to its network to view
those files, but doesnt check to see that the employers computers use firewalls, updated antivirus software, or other
security measures. The better approach would be for the search firm to contractually require minimum security standards for
employers that want to access the firms network remotely and to use automated tools to make sure employers meet the
requirements.
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-secure-remote-access-your-network 1/2
12/19/2017 Stick with Security: Secure remote access to your network | Federal Trade Commission
Put sensible access limits in place.

In this blog series, weve already talked about is the need to control access to data sensibly. Just as security-conscious companies restrict
in-house access to sensitive files to staff members with a business need for the data, they also put sensible limits in place for remote
access.
Example: A retailer hires a contractor to revamp its online payroll system. The retailer gives the contractor remote access
to the portions of the network necessary to complete the task, but restricts the contractor from other parts of the system. In
addition, the retailer discontinues the contractors authorization as soon as the task is complete. By limiting the scope and
duration of the contractors remote access, the retailer has taken steps to protect confidential data on its network.
Example: A company decides to update its information infrastructure and signs contracts with multiple vendors to
remotely install and maintain software on numerous systems on the companys network a project the company
anticipates will take one year from start to finish. Because the vendors will be working on different portions of the network
at different times, the company creates user accounts to provide each vendor with full administrative privileges throughout the
companys network for the entire year. Although this might be the fastest way for the company to manage vendor accounts, its an
insecure choice. A wiser option would be to tailor vendors access to the scope of their work. For example, the company should
determine if some vendors can perform their duties without administrative access privileges throughout the companys network.
Other vendors may need administrative access, but only for a limited period of time. Furthermore, if a particular vendor will have
multiple employees sharing administrative access, the company should implement a method so it can audit and attribute account
use to a particular vendor employee.
Not many burglars bulldoze down a wall. Instead they exploit weaknesses in doors, windows, and other external entrances. The message
for companies is if you allow remote access to your network, be vigilant about defending those entryways.
Next in the series: Apply sound security practices when developing new products
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-secure-remote-access-your-network 2/2
12/19/2017 Stick with Security: Apply sound security practices when developing new products | Federal Trade Commission
Stick with Security: Apply sound security practices

when developing new products
Share This Page

Sep 8, 2017
TAGS: Consumer Protection Privacy and Security Data Security Tech Small Business
Your company has a killer concept for an innovative app or a connected product and youre in that initial blue-sky-and-whiteboard stage.
Youll have lots of opportunities to develop your distribution chain, create eye-catching ads, and start the social media buzz. But theres one
task that cant wait. Now is the time to start with security and that includes applying sound security practices when developing new
products.
Tech experts will tell you its tough to graft security on after the fact. The sounder strategy and the one more likely to win consumer
confidence is to build security in from the start. A look at FTC investigations, law enforcement actions, and the experiences that
businesses have shared with us suggest the importance of starting with security in product development. Here are examples gleaned from
those sources.
Train your engineers in secure coding.

The premium your company places on sound data security cant be an It goes without saying . . . kind of thing. Say it clearly, sincerely,
and frequently. Create a work environment where your staff is encouraged at every stage to factor security into product development. From
concept to marketplace and beyond, articulate your expectation that employees keep security at the forefront of their decisionmaking.
Ultimately, its the best strategy for your customers, your corporate reputation, and your profitability.
Example: A company launching a new software product emphasizes to its software engineers the importance of coding
quickly to ensure that the product reaches the market as soon as possible and the engineers meet in-house coding
deadlines. But only after the product is in consumers hands does the company discover that the engineers have
repeatedly created code that is susceptible to common, well-known security vulnerabilities for which there are available solutions.
To correct the problem, the company has to implement an expensive after-the-fact fix. The more efficient and ultimately, more
cost-effective practice would have been for the company to emphasize to its software engineers the importance of secure coding
throughout the development process and to provide them with the training necessary to meet that expectation.
Follow platform guidelines for security.

Starting with security doesnt necessarily mean starting from scratch. Every major platform has guidelines for developers to help keep
sensitive data secure. Wise companies take that advice into account in designing new products.
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-apply-sound-security-practices-when 1/2
12/19/2017 Stick with Security: Apply sound security practices when developing new products | Federal Trade Commission
Example: A company creates a mobile app for two different app platforms. Both platforms require data to be encrypted in
transit and both have Application Programming Interfaces (APIs) that provide industry-standard encryption. By using the
platforms APIs correctly, the companys engineers can help keep data secure.
Verify that security features work.

Keeping an umbrella in your car is a prudent idea, but test it while the sun is shining. Dont wait until a torrential downpour to find out that
the ribs are bent or the handle is broken. In a similar vein, its wise to build security features into your products, but before you head to the
marketplace, verify that theyre enabled and operating properly.
Furthermore, if you make any claims to consumers about the nature of the security your product provides, those representations must be
truthful and supported by proof you have in hand before you start selling. But we dont make any security-related claims. Maybe so, but
are you sure? Under the FTC Act, companies are responsible for all representations express and implied that consumers acting
reasonably under the circumstances take from a companys marketing materials. That includes statements or depictions conveyed on TV
or radio, in print, on your website, in online ads, on packaging, through social media, in privacy policies, or in an app store. Businesses are
free to put security features front and center in their marketing materials as long as they honor established truth-in-advertising standards.
So before you tout the security benefits of your product, verify that they live up to your advertised promises.
Example: A company that sells a household budgeting app runs an ad claiming that its product has bank grade security.
But the company doesnt have a written security program, doesnt conduct risk assessments, doesnt train its employees
in secure information practices, and fails to implement other practices commonly associated with bank grade security. By
making representations that are false or unsubstantiated, the company has likely violated established truth-in-advertising
standards.
Test for common vulnerabilities.

Is there any way to make your product 100% hack-proof? Without reverting to the days of tin cans connected with string, the answer is no.
But there are steps you can take to protect your customers from well-known vulnerabilities that are preventable with tried-and-true security
tools. The good news is that many of those tools are free or available at low cost. Before you release your product, make sure its ready for
prime time. Test it to ensure that youve built in defenses against known risks.
Of course, new threats emerge periodically, which is why security should be a dynamic process at your business. The security protocols
you put in place for last years product may not be sufficient for Version 2.0. How can you keep your ear to the ground about defending
against the latest threats? There is robust public cross-talk among researchers, tech experts, industry members, government agencies, and
others committed to sticking with security. Follow their discussions on trusted websites, heed their warnings about new risks, and revise
your design decisions accordingly.
Example: A 10K race application requires registrants to enter their name, address, date of birth, credit card number, and
fastest 10K time. The data is stored in a SQL database that combines data from race events all over the country. The
event organizers didnt consult free resources to stay current on security risks, and never performed any code analysis or
penetration tests to assess whether their application was vulnerable to a SQL injection attack. By staying current with free
resources for example, OWASPs Top Ten Project the event organizer could have reduced the risk of exposing racers personal
information to unauthorized access.
Example: An app company regularly consults public resources like US-CERT for updated information about cyberthreats.
The company realizes that the product its developing includes a security flaw some hackers have started to exploit. By
catching the problem early and implementing an appropriate fix, the company has protected its customers and its
reputation.
What can companies learn from these examples? Building security from the ground up is a cost-effective approach to innovation.
Next in the series: Make sure your service providers implement reasonable security measures
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-apply-sound-security-practices-when 2/2
12/19/2017 Stick with Security: Make sure your service providers implement reasonable security measures | Federal Trade Commission
Stick with Security: Make sure your service providers

implement reasonable security measures
Share This Page

Sep 15, 2017
Trust, but verify. Thats good advice in many contexts, including in your approach to businesses you hire to process sensitive data in your
possession. Even if a breach ultimately traces back to a service providers conduct, from the perspective of a customer or employee whose
personal information has been comprised, the buck stops with you. Thats why Start with Security cautions companies to make sure their
service providers implement reasonable security measures.
Before bringing service providers on board, spell out what you expect in terms of security. Satisfy yourself that they have the technical
chops to get the job done. Build in procedures so you can monitor what theyre doing on your behalf. And make sure theyre following
through on their promises.
Drawn from FTC law enforcement actions, investigations, and questions we get from companies, here are some examples that illustrate
steps you can take to encourage your service providers to start with security and stick to it.
Do your due diligence.

You wouldnt buy a used car before checking under the hood and you wouldnt buy a house based solely on the sellers promise that its in
top-notch condition. Data security is no different. Information is often one of the most important assets a business has. Before putting it in
someone elses control, be sure you know how that information will be used and secured.
Example: A company is looking to hire a contractor to handle its data processing. It gets bids from two contractors one
with a recognized name in the field and a newcomer that charges significantly less. Rather than simply opting for the
established brand name or the low bidder, the company instead asks both contractors detailed questions about among
other things how it will secure the companys data, who will have access to the data, and how it will train its employees to maintain
the data securely. The company should award the contract only if its satisfied with the responses it has received. Even then, the
company should include specific provisions in its contract requiring reasonable security.
Put it in writing.
Data security is too important to relegate it to a vague Lets just shake on it deal. Both sides benefit when expectations, performance
standards, and monitoring methods are reduced to writing in the contract.
Example: A company hires a service provider to send monthly billing statements to customers. The company gives the
service provider access to account information including customers preferred payment methods and the service
provider creates a spreadsheet of the data. The contract between the company and the service provider doesnt include
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-make-sure-your-service-providers-implement 1/2
12/19/2017 Stick with Security: Make sure your service providers implement reasonable security measures | Federal Trade Commission
any requirement to maintain reasonable security. The service provider doesnt have firewalls in place, doesnt encrypt data at rest or
in transit, and doesnt implement system logs or an intrusion detection system. By failing to require reasonable security in the
contract and failing to specify the security measures the service provider must put in place, the company missed an opportunity to
safeguard its customers confidential information.
Example: A national staffing agency recruits employees from across the country to work from home to conduct data entry.
The company hires regional HR contractors to help new employees fill out their initial personnel paperwork. The HR
contractors go to the new employees homes to have them complete the appropriate forms, which contain sensitive
personal information, including Social Security numbers. The HR contractors photograph the forms and then use the new
employees personal computers to upload and email the information back to the staffing agency. The better practice would be for the
staffing agency to specify in its contract a more secure method for conveying the information and to contact the HR contractor
immediately if sensitive data is sent in contravention of that provision.
Verify compliance.
You count your change, confirm your hotel reservations, and review your credit card statement. Double-checking just makes sense. Thats
why careful companies verify that service providers are complying with security-related contract provisions.
Example: A retailer that sells camping gear hires a company to develop an app with information about hiking trails. The
retailer intends to market the app with the claim that it will not collect geolocation data unless the user affirmatively opts in
and the retailer includes a clause to that effect in its contract with the app developer. Before releasing the app, the retailer
tests it and determines that the app collects geolocation information from all users and transmits it to an ad network. By spelling out
its expectations in the contract and testing to see that the developer has honored them, the retailer can get the problem corrected
before the app is released.
The message to security-centric companies is to build your expectations into your contracts with service providers that will have access to
sensitive information. In addition, make sure you have a way of monitoring what theyre doing on your behalf.
Next in the series: Put procedures in place to keep your security current and address vulnerabilities that may arise.
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-make-sure-your-service-providers-implement 2/2
12/19/2017 Stick with Security: Put procedures in place to keep your security current and address vulnerabilities that may arise | Federal Trade Commission
Stick with Security: Put procedures in place to keep

your security current and address vulnerabilities that
may arise
Share This Page

Sep 22, 2017
TAGS: Consumer Protection Privacy and Security Data Security Small Business
Sound data security is a process, not a checklist. Weve all heard that slogan and with good reason. The way that sensitive information
moves into, through, and out of your companys networks or the software products you develop is ever-evolving. So, too, are the risks that
hackers and data thieves pose as they adapt to the countermeasures you take to foil their efforts. Approaching data security with a one-
and-done attitude ignores the here-and-now realities you face. Thats why Start with Security recommends that companies put procedures
in place to keep your security current and address vulnerabilities that may arise.
A look at FTC law enforcement actions, closed investigations, and the experiences that businesses have shared with us demonstrates the
wisdom of that advice. These examples illustrate why you should keep your security up to date and respond quickly to credible threats.
Update and patch software.

Sometimes companies learn that their networks or third-party software installed on their networks are vulnerable to a new form of
threat. If thats the case, find out what the experts recommend and act accordingly.
In other instances, a company determines that its own products already in consumers hands possess a vulnerability to an existing or new
threat. In that instance, take steps to correct the problem with an update or a patch and move quickly to let customers know about remedial
steps they should take.
Example: The owner of a home-based business buys a new laptop to manage his venture. He installs anti-virus software
from a reputable company. When given the onscreen choice, the business owner allows the software to update the laptops
anti-virus protection automatically. In that circumstance, opting for automatic updates is a sensible decision.
Example: A regional chain of hair salons uses third-party software to manage retail sales and inventory. When an email
arrives from the vendor advising users of software to install a patch to address a security vulnerability, a designated staff
member visits the vendors site and confirms the authenticity of the message, and then takes the steps necessary to update
the software. By having a system in place to monitor and respond to security communications from vendors, the company has
helped to keep its security up to date.
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-put-procedures-place-keep-your-security 1/2
12/19/2017 Stick with Security: Put procedures in place to keep your security current and address vulnerabilities that may arise | Federal Trade Commission
Example: A company sells a popular line of personal finance software. After many consumers have already bought the
product, the company spots a security vulnerability in the software. The company creates a new version of the software that
addresses the vulnerability. However, it doesnt contact existing customers to offer a patch, and it doesnt take into account
vulnerable software still available on retail shelves. By failing to implement the fix effectively, the company has put consumers
sensitive information at risk.
Plan how you will deliver security updates for your products
software.
No matter how secure you believe your product to be, software vulnerabilities may be discovered in the future. Security-savvy companies
have a plan in place to issue timely security updates. The method will depend on the nature of the product, but its wise to build those
contingencies in before you go to market.
Example: A company manufactures a thermostat that connects to the internet. The company configures default settings to
automatically search for and install security updates that the company deploys. By designing its product with a method in
place to deliver necessary updates, the company has made a more secure design choice.
Example: A company manufactures a kitchen appliance that connects to the internet. In the initial product development
stage, the company determines that automatic security updates arent feasible. So the company designs the appliance with
an alert button that provides a visual cue that a security update is available online. Furthermore, during the initial set-up
wizard, consumers have the option of adding an additional method of communication for example, text or email to receive
notices when a security update is available. By building those communication channels in from the start, the company has made it
easier to tell customers about future security updates or patches.
Heed credible security warnings and move quickly to x the

problem.
On the subject of security, theres a lot of cross-talk among tech experts, researchers, government agencies, industry pros, and consumers.
With a wealth of expertise out there, its wise to keep your ear to the ground when the topic turns to emerging risks and potential
vulnerabilities. Pay attention when you get wind of security warnings that could affect your network or your product. Also, if experts are
trying to reach your company to sound a particular alarm, will their messages get to the right people quickly?
Example: An app developer receives thousands of emails a day. On its website, it directs people to email
customerservice[at]companyname.com with questions or comments about resetting passwords, payments, and other
typical consumer issues. In case of a potential security concern, however, it directs people to email
security[at]companyname.com. The app developer designates a knowledgeable staff member to monitor that mailbox regularly and
immediately flag plausible concerns for appropriate personnel for example, the developers software security engineers. By
heeding credible security warnings and moving quickly to investigate and resolve them, the app developer may be able to prevent a
problem or mitigate a risk.
Example: A security researcher finds a major vulnerability in an app. The researcher tries to contact the app developer, but
cannot find a way to reach the company, other than a general corporate phone number. In training, administrative personnel
who retrieve voicemails from the general number are instructed to delete messages from unknown third parties. A better
practice would be to route communications about potential vulnerabilities bug reports to a dedicated channel where they can be
evaluated by qualified security personnel.
The lesson for companies committed to sticking with security is to create channels in advance to receive and send critical information about
potential vulnerabilities. Move quickly to implement appropriate security remedies.
Next in the series: Secure paper, physical media, and devices
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-put-procedures-place-keep-your-security 2/2
12/19/2017 Stick with Security: Secure paper, physical media, and devices | Federal Trade Commission
Stick with Security: Secure paper, physical media,

and devices
Share This Page

Sep 29, 2017
High-profile hackers grab the headlines. But some data thieves prefer old school methods rifling through file cabinets, pinching
paperwork, and pilfering devices like smartphones and flash drives. As your business bolsters the security of your network, dont let that
take attention away from how you secure documents and devices.
FTC law enforcement actions, closed investigations, and experiences weve heard from businesses demonstrate the wisdom of adopting a
360 approach to protecting confidential data. As Start with Security suggests, securing paper, physical media, and devices is an important
part of that strategy.
Securely store sensitive les.

If your company has already committed to starting with security, you understand the importance of collecting sensitive information only if
you have a legitimate business need and keeping it safe while its in your possession.
Example: A local gym maintains personnel files on its current employees. The files contain sensitive data for example,
tax documents with Social Security numbers and direct deposit authorizations with bank account information. The files are
kept in the managers office, which is located in an employees only part of the facility. In addition, the manager keeps the
files in a cabinet that is locked at all times. Whenever he is helping clients or away from his office for any other reason, he takes
the additional precaution of locking his door a lock that only he and his assistant manager can open. By implementing basic
protections, the gym is taking steps toward maintaining the security of confidential information in its possession.
Example: A tax preparation firm has a legal obligation to retain clients records for a certain period of time. The firm keeps
them in a central storage room open to all businesses that lease office space on that floor. By leaving those files in an
unsecured location, the firm has created an unnecessary risk that clients sensitive information could be misappropriated.
Protect devices that process personal information.

It may look like just a phone, but in the wrong hands and with insecure configuration, it could be a skeleton key that gives a data thief
unauthorized access to everything on your network. And what if a traveling employee leaves a flash drive with a database of customer
https://www.ftc.gov/news-events/blogs/business-blog/2017/09/stick-security-secure-paper-physical-media-devices 1/3
account details in a hotel business center? Companies concerned about security take steps to protect devices that store and process
confidential data.
Example: A data processing firm issues its employees smartphones so they can stay in touch when theyre on the go.
The firm requires employees to lock phones with a passcode and encrypts the data on the device. Recognizing that
people may occasionally misplace their phones, the firm enables device-finding services and uses an app to ensure that it
can remotely wipe the device if it goes missing. The firm also trains employees on the procedures for promptly reporting a missing
phone. By putting commonsense policies in place and training staff members on complying with them, the firm has taken a basic
precaution to protect data accessible through those devices.
Keep safety standards in place when data is en route.

As Start with Security and an earlier post in the Stick with Security series suggest, prudent companies exercise care when transferring
sensitive information. They also establish sensible standards and train their employees to take precautions when files or devices are out of
the office.
Example: A company with five branch offices in one city assigns an employee to drive to each branch at the end of the
day to collect purchase orders that include customers financial information. The company doesnt provide security training
to the employee. On one occasion, the employee stops to runs a personal errand, leaving the paperwork in a backpack in
her car. She returns to find the passenger window smashed and the backpack stolen. By not training the employee on how to keep
the documents safe during her daily rounds, the company has contributed to the risk that the financial information will be accessed
by individuals outside the company.
Example: A regional office of a national consulting firm must send an external hard drive to headquarters. The regional
office uses an encrypted drive and sends it via a delivery service that offers package tracking. Those two precautions
reduce the risk of unauthorized access to the data.
Dispose of sensitive data securely.

It may look like trash to you, but discarded paperwork, deleted electronic files, or obsolete equipment are treasure to a data thief. Just
tossing documents in the bin or clicking DELETE is unlikely to deter infobandits. To prevent them from reconstructing discarded files,
responsible companies take the prudent step of shredding, burning, or otherwise destroying documents and using tech tools that truly
render electronic files unreadable.
Furthermore, if your business is covered by the Fair Credit Reporting Act, securely disposing of certain confidential data credit reports
and files containing information derived from those reports doesnt just make good business sense. Under the FCRAs Disposal Rule, its
the law.
Example: A small bookkeeping company places two receptacles in each employees office: a waste basket for trash and
non-sensitive paperwork and a separate bin for documents that include confidential information. A staff member regularly
gathers the confidential documents and shreds them. The company also keeps a shredder near the photocopier so
employees can destroy misfeeds or extra copies of sensitive documents. Those simple steps can help reduce the risk of
information ending up in unauthorized hands.
Example: An accounting firm decides to donate some old laptops to a charity and directs staff members to delete the files
on the computers hard drives. However, just clicking DELETE doesnt actually delete sensitive data. Even if a file name
doesnt show up on the list of available documents, it doesnt take much for a data thief to retrieve it. The wiser practice is
to securely wipe the hard drive clean using software specifically designed for that purpose.
To stick with security, prudent companies put sensible precautions in place to safeguard paperwork, flash drives, phones, CDs, and other
media that may contain sensitive information.
Next in the series: FTC data security resources for your business
12/19/2017 Stick with Security: FTC resources for your business | Federal Trade Commission
Stick with Security: FTC resources for your business
Share This Page

Oct 13, 2017
In our Stick with Security blog series, weve done our best to dive deeper into data security by focusing on the lessons learned from recent
cases, insights from closed investigations, and the questions and comments weve received from businesses. One remark weve heard
from companies that want to implement the lessons of Start with Security is Just give us a list of what to do. Unfortunately, data security
cant be boiled down to a one-and-done checklist. Whats reasonable depends on the circumstances for example, the nature of your
business and the sensitivity of the information you must collect and maintain so theres no one-size-fits-all approach. In addition, data
thieves tactics are constantly evolving. Last years precautions may not protect your company from tomorrows threats.
That said, the fundamental principles for effective data security remain constant: 1) Collect sensitive information only if you have a
legitimate business need; 2) Keep it safe while its in your possession; and 3) Dispose of it securely when that business need ends.
How do we put those principles in place at our business? Thats another question weve heard. The FTC has resources lots of them to
make that task easier. Our Data Security page, which features links to workshops, staff reports, closing letters, and more, collects relevant
guidance in one bookmark-worthy place. Here are just some of the resources youll find there:
FTC cases. To date, the FTC has filed more than 60 actions alleging that companies engaged in deceptive or unfair practices
related to data security. Most of those matters have settled with court-enforceable orders. Of course, the complaints and orders
apply just to those companies, but wise businesses understand that every FTC action offers an across-the-board insight. For
example, the FTC has brought a number of cases against companies whose employees failed to secure sensitive data in their
possession when they were outside the office. Short-sighted businesses may just breathe a sigh of relief that it didnt happen to them.
Security-conscious companies review the complaints and consider how to incorporate those compliance nuggets into their own procedures,
including in-house training.
For busy executives, an FTC pleading may seem to start slow. But heres a tip to make better use of your time: The opening paragraphs of
most complaints usually recap the parties involved. The relevant stuff an explanation of what the company did (or didnt do) that led to
law enforcement usually appears in a section headed Respondents Course of Conduct, Defendants Business Activities, or something
like that. Toward the end, youll find one or more specific allegations of the conduct the FTC believes violated the law. Furthermore, the
order in a case spells out what the company must do to reduce the risk of similar violations in the future. Like the complaint, the order
applies just to the company in question. But many businesses use it as a rough guide of prudent steps to consider.
Brochures for business. The FTC has a suite of publications written to minimize the legal jargon and maximize the practical
advice for businesses. Three titles should be on the must-read list for any company concerned about data security. Share the
links with your staff or order free copies from the FTCs bulk order site.
Where to start. Protecting Personal Information: A Guide for Business is a primer on creating a data security plan for your company.
Built on five fundamentals Take stock, Scale down, Lock it, Pitch it, and Plan ahead Protecting Personal Information offers a
nuts-and-bolts approach applicable to any business.
For more detail. Start with Security looks at FTC law enforcement actions and distills the cases down to 10 compliance lessons.
(Our Stick with Security blog series focuses on those same 10 lessons, but also factors in recent cases, closed investigations, and
https://www.ftc.gov/news-events/blogs/business-blog/2017/10/stick-security-ftc-resources-your-business 1/2
12/19/2017 Stick with Security: FTC resources for your business | Federal Trade Commission
questions and comments weve heard from businesses.)
In case a breach happens. Data Breach Response addresses the steps to take if a breach has occurred. Experienced executives
will tell you the best time to read it is before you need it.
Videos. When youre really pressed for time, the FTC has short videos that distill data security down to the basics. We have a
video to accompany each of the 10 Start with Security principles and another one about using Start with Security resources at
your business. Among the dozens of other titles are videos about defending against ransomware, using email authentication to
fight back against phishing, responding if your business is impersonated in a phishing scam, and aligning the FTCs data security
work with NISTs Cybersecurity Framework. Consider incorporating them into in-house training or showing them at your next staff meeting.
Its a 3-minute investment that could pay dividends in the form of a more security-conscious workforce.
Brochures for specific business audiences. Our Data Security page also features to-the-point titles and links for certain
market sectors. Developing a health-related mobile app? The FTC has a best-practices publication and an interactive tool. For
businesses involved in the Internet of Things, theres Careful Connections, a guide about building security into connected
products. We also have FAQs about reducing the risk of medical identity theft, a security-centric publication for companies that
buy and sell consumer debt, resources for companies covered by the Gramm-Leach-Bliley Acts Safeguards Rule and much more.
Chances are there is a publication relevant to your line of work.
Resources for small businesses. For solo entrepreneurs or companies with just a few employees, the FTCs Small Business
site features resources written with you in mind. Small Business Computer Security Basics breaks it down with just-the-facts
guidance about protecting your files and devices, safeguarding your wireless network, and responding if youve been the target
of malware or a hack attack.
Blog posts. Almost every FTC case announcement is accompanied by two blog posts. The Consumer Blog translates security-
related developments into actionable advice for members of the public. The Business Blog focuses on what FTC law
enforcement and policy initiatives mean for your company. To date, more than 200 posts about 20% of the total have focused
on data security, with many offering specific takeaway tips for companies. Subscribe from our Stay Connected page and the
Business Blog will automatically arrive in your emailbox.
This is the last post in our Stick with Security series, but it wont be the last you hear from FTC staff about practical guidance for your
company. Let us know about other security-related topics youd like us to cover.
https://www.ftc.gov/news-events/blogs/business-blog/2017/10/stick-security-ftc-resources-your-business 2/2

FTC Stick With Security

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

FTC Stick With Security

Загружено:

Авторское право:

Доступные форматы

12/19/2017 Stick with Security: A Business Blog Series | Federal Trade Commission

Stick with Security: A Business Blog Series

Stick with Security: Insights into FTC investigations

#1 Start with security and stick with it

#2 Stick with Security: Control access to data sensibly

#3 Stick with Security: Require secure passwords and authentication

#6 Stick with Security: Secure remote access to your network

Stick with Security: FTC resources for your business

Stick with Security: Insights into FTC Investigations

Share This Page

Start with security and stick with it

Share This Page

Dont collect personal information you dont need.

Hold onto information only as long as you have a legitimate

Dont use personal information when its not necessary.

Train your staff on your standards and make sure theyre

When feasible, offer consumers more secure choices.

Next in the series: Control access to data sensibly.

Stick with Security: Control access to data sensibly

Share This Page

Restrict access to sensitive data.

Limit administrative access.

Next in the series: Require secure passwords and authentication.

Stick with Security: Require secure passwords and

Share This Page

Insist on long, complex, and unique passwords.

Store passwords securely.

Guard against brute force attacks.

Protect sensitive accounts with more than just a password.

Protect against authentication bypass.

Stick with Security: Store sensitive personal

Share This Page

TAGS: Consumer Protection Privacy and Security Data Security

Keep sensitive information secure throughout its lifecycle.

Use industry-tested and accepted methods.

Ensure proper conguration.

Stick with Security: Secure remote access to your

Share This Page

Ensure endpoint security.

Put sensible access limits in place.

Stick with Security: Apply sound security practices

Share This Page

Train your engineers in secure coding.

Follow platform guidelines for security.

Verify that security features work.

Test for common vulnerabilities.

Stick with Security: Make sure your service providers

Share This Page

Do your due diligence.

Stick with Security: Put procedures in place to keep

Share This Page

Update and patch software.

Heed credible security warnings and move quickly to x the

Next in the series: Secure paper, physical media, and devices

Stick with Security: Secure paper, physical media,

Share This Page

Securely store sensitive les.

Protect devices that process personal information.

Keep safety standards in place when data is en route.

Dispose of sensitive data securely.

Stick with Security: FTC resources for your business

Share This Page

questions and comments weve heard from businesses.)