The FTC released “Start with Security,”a whitepaper promoting best security practices. Based on the FTC’s more than fifty Section 5, Unfair and Deceptive Trade Practices settlements, the whitepaper provides examples of what is and is not “reasonable security.” Below are the ten themes of the FTC’s growing security precedent, including a few case cites.
Don’t collect, store, or use personal information unless you have a legitimate business reason for doing so. See RockYou (cited for collecting and storing login credentials for third party websites and user’s email accounts without a business reason for doing so), and BJ’s Wholesale Club (cited for storing credit card information 30 days after credit card transactions were completed).
Only give access to sensitive information on a “need to know” basis. See Goal Financial (cited for allowing all employees regardless of business necessity to have access to every customer record).
Require the use of strong passwords, ensure that those passwords are stored securely, and that known vulnerabilities don’t undermine the use of strong passwords. See Guidance Software (cited for storing user credentials in clear text), and Lookout Services and Reed Elsevier (cited for not suspending or disabling user credentials after a certain number of unsuccessful login attempts).
Use industry standard encryption when transmitting or storing sensitive information. See Superior Mortgage Corporation (cited for failing to encrypt sensitive consumer information and allowing employees to routinely transmit that information in the clear), ValueClick (cited for using a proprietary encryption scheme that was very weak), and Fandango and Credit Karma (cited for implementing encryption in a manner that rendered it ineffective).
Segment and monitor your network. See DSW (cited for allowing an in-store computer to connect to the corporate network and in-store computers of every other retail location), and Dave & Buster and Cardsystem Solutions (cited for failing to use tools to monitor network and log activity).
Ensure proper endpoint security. See Premier Capital Lending, Settlement One, and Lifelock (all cited for allowing users to connect to corporate databases containing sensitive information without first ensuring that those connecting to the network had proper security in place on their devices. Vulnerabilities in user’s devices – such as lack of anti-virus software – allowed attackers to access the sensitive information on the corporate network by exploiting weaknesses in user’s security).
Use secure coding techniques, obey platform guidelines for security, and test and verify all security features. See MTS, HTC America, TRENDnet (cited for failing to train their engineers in secure coding practices), HTC America, Fandango, and Credit Karma (cited for failing to follow explicit platform guidelines about secure development practices), TRENDnet (cited for failing to test that an option to make a consumer’s camera feed private would, in fact, restrict access to that feed), and Snapchat (cited for claiming that images would disappear forever when in fact images were recoverable).
Ensure that service providers are following best security practices. See GMR Transcription (cited for failing to contractually require a third party to take reasonable security precautions with a company’s sensitive information).
Update and patch third-party software and head warnings regarding the security of your products. See TJX Companies (cited for failing to update anti-virus allowing attackers to gain access to their network), and HTC America and Fandango (cited for failing to put in place a system for receiving and reviewing tips from outside security researchers regarding the security of their products and services).
Dispose of and protect both paper work and physical media in a secure manner. Gregory Navone and Lifelock (cited for storing sensitive information in paper format in an unsecured manner), Accretive and CBR Systems (cited for allowing employees to keep sensitive unencrypted data on a laptop and stored in a location making it susceptible to theft) and Rite Aid, CVS Caremark, Goal Financial (all were accused of improperly disposing paper documents and/or unencrypted hard drives).
You can learn more about the FTC’s security best practices, at one of their upcoming conferences in San Francisco or Austin.
