FTC: Data Security Primer for Small Businesses and Start-ups
The Federal Trade Commission will host a one day-conference in Chicago at Northwestern’s Pritzker School of Law on June 15, 2016. This event will be the fourth of the FTC’s Start with Security Events nationwide, which build on its publication of the same title Start with Security: A Guide for Business, released last June.
The upcoming event will be targeted specifically at start-ups and other small and medium-sized businesses, and will focus on how these organizations can better secure their products, services, and networks.
The name sums it up pretty well. In Start with Security, the FTC reiterates its long-standing view that data security should be a top priority for any organization, even those in start-up mode. This written guidance, along with short videos posted on the FTC’s website, is based on more than 50 of the FTC’s data security settlements and consent decrees synthesized into 10 lessons which the FTC says should apply to businesses of all sizes and in all sectors:
1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it during transmission.
5. Segment your network and monitor who’s trying to get in and out.
6. Secure remote access to your network.
7. Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security measures.
9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.
While companies may implement these lessons and keep order in their own houses, what about the start-up that outsources its app or web design, or data collection and security? Here, the FTC’s lesson number 8 becomes critical: don’t turn a blind eye to the security practices of a third-party service provider. In fact, FTC decisions over the past couple of years illustrate that the agency will hold businesses responsible for actions – or inactions – taken by their service providers. Where a business hires an outside company to process personal information or to develop an app, it must implement reasonable safeguards to ensure the security of the project. Two cases from the FTC’s publication are worth highlighting in this regard:
In In the Matter of Upromise, Inc., the company hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar, which collected consumers’ browsing information to provide personalized offers, would use a filter to “remove any personally identifiable information” before transmission. But, according to the FTC, Upromise did not confirm that the service provider had implemented the information collection program in a manner consistent with Upromise’s privacy and security policies and the terms in the contract designed to protect consumer information. As a result, the toolbar collected sensitive personal information, such as financial account numbers and security codes from secure web pages, and transmitted it in clear text. Upromise did not discover this because it did not ask follow-up questions to its provider or run tests before launching its program. The FTC settlement required Upromise, among other things, to clearly disclose its data collection practices and obtain consumers’ consent before installing or re-enabling any such toolbar products, and to notify consumers how to disable the data collection tool on their computers. The settlement also required the company to establish a comprehensive information security program and to obtain biennial independent security assessments for a period of 20 years.
In In the Matter of GMR Transcription Services, the FTC alleged that the company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, confidential files were widely exposed on the Internet. GMR did not include contract provisions that required its service providers to adopt reasonable security precautions such as encryption. The FTC went after GMR for failing to adequately monitor and oversee the security of the work that its provider was undertaking. The settlement in this case, similar to the one in Upromise, prohibited GMR from misrepresenting the extent to which it maintained the privacy and security of consumers’ personal information, and put in place an FTC monitorship that required GMR to have its information security program evaluated biennially for 20 years.
Because it explains security principles using specific examples drawn from its settlements, Start with Security provides a window into the FTC's data security expectations for small businesses and start-ups. And by taking its show on the road, the FTC has surely signaled the priority it assigns, and the resources it will dedicate to the issue.