Implement Best Cybersecurity Practices: Avoid FTC Enforcement
On August 24th, a federal appeals court decided that the Federal Trade Commission (FTC) has the authority to bring enforcement action against a company for lax cybersecurity policies. Indeed, the FTC has pursued more than 50 data security cases against businesses. So, what does a company need to do to stay off of FTC’s radar screen?
The case the court considered dealt with an FTC claim against Wyndham Worldwide. The company was the victim of three hacks, affecting 600,000 customers’ debit and credit card information, and resulting in $10 million in losses. While Wyndham sees itself as a victim, the FTC believes the company didn’t do enough to protect its customers (also victims). The FTC says Wyndham’s cybersecurity conduct that allowed the hacks amounts to an unfair trade practice, which falls in the agency’s jurisdiction.
What Did Wyndham Do Wrong?
Wyndham claimed to have certain data protections in place as part of its privacy policy, including firewalls and encryption, but the reality was that the company used weak passwords and stored credit card information in clear, readable text.
Wyndham still feels it’s unfair for the FTC to go after them since the agency has not issued regulations to tell companies what standards are being applied. And, others share the concern that businesses are being asked to comply with requirements that are too vague.
What Should Companies Do?
Given the court’s ruling, regardless of clear regulations, it seems businesses should look for ways to ensure they are implementing the best cybersecurity policies (see: Cybercrime: The Event That Could Shut Down Your Business in 6 Months) and putting forward a good faith effort to protect their customers from data breaches.
The FTC does have some suggestions, found in a document on their website, which are based on the lessons learned from the 50-plus cases the agency has pursued.
Here are the highlights:
1. Don’t collect information that you don’t need and don’t keep information longer than necessary. Don’t use personal information when anonymous or fictitious information could be substituted.
2. Restrict access to your network and the information stored on it. Employees should have access on a need-to-know basis. Only authorized employees should have access to sensitive data. Limit administrative access.
3. Use strong authentication procedures to limit access to data. Use complex passwords and train employees. Be careful how passwords are stored. Disable user credentials after a number of failed log-in attempts. Test for common vulnerabilities in authentication.
4. Securely store and transmit personal information. Use strong cryptography and train staff. Data transmission should be secure at all stages. Employ widely used, industry-tested methods to secure data. Ensure proper configuration of encryption technology.
5. Segment your network and keep sensitive information in a secure location on the network. Monitor activity on your network using effective intrusion detection tools.
6. Secure remote access to the network, including installation of antivirus programs on computers. Restrict third-party access to the network.
7. Apply sound security practices when developing new products. Use secure coding practices and platform guidelines. Verify that privacy and security features work and live up to your claims. Test for common vulnerabilities.
8. Watch your service providers and ensure they implement appropriate security measures. Put security standards in contracts and verify compliance by vendors.
9. Keep your security practices current. Apply software updates as they’re issued and have a process in place to update and patch third-party software. Have an effective protocol to address security vulnerability reports.
10. Protect paper, physical media, and devices. Store documents securely, put standards in place for data that is en route or off site, dispose of data securely (shred, burn, pulverize, wipe).
There are many reasons to adopt solid cybersecurity policies – reputation, liability, financial loss – and you can add avoiding FTC scrutiny to the list.