Steering Clear of Broken Promises

With last week’s ruling by the Third Circuit Court of Appeals in FTC v. Wyndham Worldwide Corp. solidifying the Federal Trade Commission’s authority to enforce data security practices, organizations that use online computers to store customer information should take notice. Since 2005, the FTC has stepped up its enforcement efforts and has entered into more than 50 consent decrees relating to cybersecurity matters. In doing so, the Commission has relied on Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices.

The FTC has focused on allegations that organizations have broken their promises to consumers concerning the collection, storage, safeguarding and use of personal information. In the last three years alone, companies such as Google, Credit Karma, Snapchat, and Fandango have all settled charges stemming from allegations that they failed to secure or use consumer data in a manner consistent with their own privacy statements or policies. The agency’s settlements have required companies to audit their cybersecurity and data privacy practices for up to 20 years (Fandango and Credit Karma), obtained injunctive relief and imposed fines of more than $20 million (Google).

In the wake of the FTC’s heightened vigilance and authority over cybersecurity and data privacy, and the seemingly ubiquitous threat of data breaches and the torrent of data breach litigation, the agency’s growing body of work has taken on heightened importance, including complaints filed against private sector companies, consent decrees and advisory publications. Organizations can glean specific advice about safeguarding private data from the FTC’s recent policy release, entitled “Start with Security: A Guide for Business.” In that publication, the FTC explains its “lessons learned” from wrestling with cybersecurity and data privacy for more than a decade. While each business has its own unique data security challenges, these “lessons” are a useful starting point for organizations to review their current practices and determine if additional steps need to be taken to address cybersecurity gaps.

1. Start with security – Make a conscious choice about the type of data collected and maintained by your company, ask if there is a “legitimate business” to hold sensitive information, how long it is kept and who can access it;

2. Control access to data sensibly – Not everyone in your organization needs access to the network and the information stored there. Consider controlling access to portions of your network where sensitive information is stored;

3. Require secure passwords and authentication – Strong authentication procedures can minimize the risk that unauthorized individuals access data. For instance, require complex and unique passwords and store them in a secure manner. Consider disabling user credentials after a number of unsuccessful log-in attempts;

4. Store sensitive personal information securely and protect it during transmission – Use sophisticated encryption technology to store and transmit sensitive information and make sure your personnel understand the appropriate level of encryption for different types of data;

5. Segment your network and monitor who’s trying to get in and out – Consider firewalls to limit access and monitor your network for suspicious activity;

6. Secure remote access to your network – Develop robust remote access policies including limited remote access to “what’s needed to get the job done.” In some instances, third parties such as vendors should be given only limited or temporary access;

7. Apply sound security practices when developing new products – When a new product is designed or rolled out, ensure that engineers are properly trained in secure coding and follow detailed security guidelines;

8. Make sure your service providers implement reasonable security measures – In many instances, the weakest link might be your vendors and service providers. Make sure they implement reasonable security standards and audit them to verify compliance;

9. Put procedures in place to keep your security current and address vulnerabilities that may arise – Data security isn’t a one-time event. It’s an ongoing process that includes updating and patching third-party software, and keeping tabs on current threat and vulnerability assessments; and,

10. Secure paper, physical media, and devices – physical security is just as important as network security. Properly store sensitive files, protect devices that contain or process personal information, secure sensitive information when it’s outside the office and when paper needs to be discarded or equipment has seen its useful life, placing it in the dumpster isn’t the answer. Paperwork with sensitive information should be shredded and equipment wiped clean of any sensitive data.

The FTC will also hold two conferences this fall to discuss specific aspects of data security. The first, on September 9th in San Francisco at the University of California Hastings College of Law, will focus on security considerations for start-ups and developers. The topic of the second conference, on November 5th, at the University of Texas at Austin’s Robert C. Strauss Center for International Security and Law, has not been announced.

The Third Circuit’s decision could affect private actions as well based on state law. Twenty-eight states have “little FTC Acts” which, although varying from state to state, are focused on prohibiting “unfair” acts or practices. Will Wyndham open up the private sector to additional claims made under these state laws? We’ll discuss that issue in an upcoming Blog post.