Jul 132015

Federal Trade Commission Releases Guide for Businesses on Data Security

Christopher Eiswerth
, ,

The Federal Trade Commission released “Start with Security:  A Guide for Business” on June 30, 2015.  The guide contains ten best practices for addressing issues of data security based on lessons learned from the FTC’s 53 data-security actions to date.  Specifically, it identifies “vulnerabilities” that could affect businesses of all sizes and provides some “practical guidance on how to reduce the risks [those vulnerabilities] pose.”

The guide’s pointers include:

  • Start with security.
  • Control access to data sensibly.
  • Require secure passwords and authentication.
  • Store sensitive personal information securely and protect it during transmission.
  • Segment your network and monitor who’s trying to get in and out.
  • Secure remote access to your network.
  • Apply sound security practices when developing new products.
  • Make sure your service providers implement reasonable security measures.
  • Put procedures in place to keep your security current and address vulnerabilities that may arise.
  • Secure paper, physical media, and devices.

The Commission has also sprinkled the guide with various cautionary tales gleaned from its many enforcement actions.  For instance, in its advice on “control[ling] access to data sensibly,” the Commission highlights a previous action against Twitter for granting nearly all of its employees administrative control over Twitter’s network.  This practice, according to the Commission, “increased the risk that a compromise of any of its employees’ credentials could result in a serious breach.”  Thus, in the guide, the Commission encouraged businesses to “ensur[e] that employees’ access to the system’s administrative controls was tailored to their job needs.”

In adopting this guide and these examples, the Commission stressed that “no findings have been made by a court” in the 53 data-security cases and that “the specifics of the [Commission’s] orders apply just to those companies.”  It is important to note, however, that in other litigation the Commission has argued that such complaints and settlements provide constitutionally adequate notice that a company’s data-security practices may be considered unfair acts or practices under 15 U.S.C. § 45.  See Brief for the Federal Trade Commission, FTC v. Wyndham Hotels & Resorts, LLC, 48–49 (3d Cir., pending) (No. 14-3514).  Furthermore, in the same litigation, the Commission has contended that a 2007 Business Guide provided sufficient and adequate notice that Wyndham’s failure to take specific actions would be considered unfair.

Given this backdrop and position by the Commission, businesses would be well served by evaluating their data-security practices in light of the Commission’s prior complaints and this guide, even if the complaints, in and of themselves, do not apply directly to the broader business community.

Christopher Eiswerth

ceiswerth@sidley.com

You might also like
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

U.S. Securities and Exchange Commission Proposes Three Rules Related to Cybersecurity, Reopens Comment for One Rule

On March 15, 2023, the U.S. Securities and Exchange Commission (SEC) proposed three rules related to cybersecurity and the protection of consumer information and reopened the comment period for a proposed cybersecurity rule for investment advisers and funds. This significant action would impose new cybersecurity requirements for several SEC-registered entities, including with respect to these entities’ policies, incident response and notification procedures, and cybersecurity risk management. This Sidley commentary and analysis discusses the key features of each proposal, including new requirements and differences among each of the proposals.