The Federal Trade Commission (FTC) has been around a long time. Since its inception, over 100 years ago, the agency has been tasked with protecting consumers. As one might expect that responsibility changed dramatically as the internet became more and more commercialized.
In its move to the internet age, the agency added investigative duties. "Section 5 of the FTC Act gives the FTC broad authority to investigate "unfair and deceptive acts and practices in or affecting commerce," mentions Jennifer Woods, an attorney in the Intellectual Property group at Clark Hill PLC. "The FTC has increasingly used this broad authority aggressively in the privacy and data security contexts, initiating investigations pertaining to a wide variety of 'unfair' or 'deceptive' practices."
Investigating claims affords FTC members interesting insights and a unique perspective on how to best protect consumers in an ever-changing digital environment. In an attempt to share that knowledge, the FTC published Start with Security, A Guide for Businesses: Lessons Learned from FTC Cases (PDF).
The guide's introduction explains that "lessons learned" were culled from more than 50 law enforcement actions resulting from FTC investigation leads. "These are settlements — no findings have been made by a court — and the specifics of the orders apply just to those companies," explains the guide's introduction. "But learning about alleged lapses that led to law enforcement can help your company improve its practices."
Top 10 lessons learned
1: Start with security
It may sound simplistic, but not all business owners realize that security should be considered the first step. "Factor it into the decision making in every department of your business — personnel, sales, accounting, information technology, etc.," suggests the guide.
For example, collecting and maintaining information "just because" is no longer a sound business strategy. The guide refers to the FTC complaint against RockYou as an example. The company was collecting email addresses, and for some reason, the email account passwords.
2: Control access to data sensibly
If it has been decided there are legitimate reasons for retaining sensitive data, the guide recommends taking reasonable steps to keep the data secure. If employees do not use confidential information as part of their job, there's no need for them to have access to it. The same applies to administrative access.
The FTC investigation showcasing this mistake involves Twitter. The FTC alleges the company granted nearly all its employees administrative control over Twitter's system, including member accounts. That type of access, according to the complaint, increases the risk that a compromise of any of its employees' credentials could result in a serious breach.
3: Require secure passwords and authentication
If sensitive information is stored, strong authentication policies and password procedures will ensure only authorized individuals access the data. Those in charge should insist on using complex, unique passwords, ensure passwords are stored securely, and guard against brute force attacks.
In the same Twitter investigation, the FTC found employees were allowed to use common dictionary words as admin passwords. The investigators also found multiple accounts could be accessed using the same password. According to the FTC, "Lax practices left Twitter's system vulnerable to hackers who used password-guessing tools, or tried passwords stolen from other services in the hope that Twitter employees used the same password to access the company's system."
4: Store sensitive information securely and protect it during transmission
Storing sensitive data is a business necessity. The guide offers the following suggestions.
- Use strong cryptography to secure confidential material during storage and transmission.
- Experts already have developed encryption standards that will apply to your business — use them.
- Proper setup and configuration are essential.
The guide offers an example of encryption incorrectly applied. Fandango and Credit Karma use SSL encryption in their mobile apps. Allegedly, a critical process known as SSL certificate validation was turned off without implementing other compensating security measures. "That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers to decrypt sensitive information the apps transmitted," explain the guide's authors.
5: Segment your network and monitor who's trying to get in and out
Isolating sensitive data on a limited access network segment via a firewall enhances security, and is something businesses should think about.
The guide also emphasizes the need for an Intrusion Detection System (IDS), referencing the FTC case involving CardSystems Solutions. Not having an IDS, the company was unaware hackers penetrated the network perimeter, installed programs on the company's network, collected sensitive data, and sent the data to a remote location every four days.
6: Secure remote access to your network
More than a few famous data breaches were initiated by leveraging remote access. After reviewing the cases, the authors found two prominent factors that businesses should focus on: ensuring adequate endpoint security and limiting the availability of remote access.
In the FTC investigation into Dave & Buster's, the guide reports, "The FTC charged that the company failed to restrict third-party access to its network. By exploiting security weaknesses in the third-party company's system, an intruder allegedly connected to the network numerous times and intercepted personal information."
7: Apply sound security practices when developing new products
This "learned lesson" is aimed at software developers. The guide, via a series of investigative examples, makes it clear that business owners need to:
- train engineers in secure coding;
- follow platform guidelines for security;
- verify that privacy and security features work; and
- test for known software vulnerabilities.
The last bullet may seem obvious — not so. The FTC investigated more than a dozen cases where businesses failed to test their software products for vulnerabilities, including the ever-popular SQL injection attacks.
8: Make sure service providers implement reasonable security measures
Too many assumptions are made when it comes to service providers. "Take reasonable steps to select providers able to implement appropriate security measures and monitor that they're meeting your requirements," write the guide's authors.
The FTC case against Upromise speaks directly to this. Upromise hired a service provider to create a browser toolbar. The software supposedly removed sensitive information before sending the data across the internet. That did not happen. The guide's authors did not say if collecting the sensitive data lead to any issues, but if it had, Upromise would have been responsible.
9: Have procedures to keep security current and address vulnerabilities
Procedures may not seem important, but if there are any legal issues, having procedures in place makes a huge difference in court. The FTC guide authors also advise, "Securing your software and networks isn't a one-and-done deal. It's an ongoing process that requires you to keep your guard up."
10: Secure paper, physical media, and devices
Businesses are focusing on digital security and forgetting about old-fashioned paper products. According to FTC complaints: Rite Aid and CVS Caremark tossed sensitive personal information — prescriptions, for example — into dumpsters.
More food for thought
The FTC, a few years ago, published Protecting Personal Information: A Guide for Business, a report that is still relevant and might be of interest to business owners and people who are responsible for ensuring that customer data remains safe.
- 7 data confidentiality questions attorneys urge you to ask (TechRepublic)
- 10 cost-effective ways to quickly beef up your company security (TechRepublic)
- Tech, privacy and security: A debate we need to have (TechRepublic)
- The 15 most frightening data breaches (TechRepublic)
- Cancer clinic warns 2.2 million patients of data breach (ZDNet)
- Security and privacy: New challenges (ZDNet/TechRepublic special feature)
Information is my field...Writing is my passion...Coupling the two is my mission.