In June, the Federal Trade Commission released a new guide for businesses on implementing sound data security protections and procedures. In “Protecting Personal Information: A Guide For Business,” the FTC offers “10 practical lessons” based on the numerous enforcement actions brought by the FTC. The guide offers insight into the thinking of this key federal regulator.
Key points from the guide:
- “Start with Security.” Build information security considerations into business processes so that they are part of “the decisionmaking in every department of your business.” The FTC recommends minimizing collection and retention of personal data.
- Control Information Access. Restrict employee and administrative access to sensitive data on a “need to know” basis.
- Authenticate. The FTC offers a number of pointers on password policy, including the need to “[i]nsist on complex and unique passwords” and “store passwords securely.”
- Protect Sensitive Data. “Use strong cryptography to secure confidential material during storage and transmission.”
- Network Protections. Segment your network and “monitor activity on your network,” including through the use of intrusion detection systems.
- Endpoint Protection. Diligence the security of systems which may have remote access to your systems.
- Consider Service Providers. The FTC suggests including security standards as a part of vendor contracts and conducting independent diligence of vendor’s security.
- Maintain. Have a process to “address vulnerabilities that may arise” and to “keep your security current.”
- Physical Security. Address physical security of “paper, physical media, and devices.” Dispose of sensitive data securely.
In addition to the new guide, the FTC has pledged to regularly provide blog posts on information security. The blog series, titled “Stick with Security,” launched last month and promises to focus on questions from business as well as “lessons learned” from past FTC investigations.