On July 28, 2017, the FTC published the second blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Start with security – and stick with it,” looks at key security principles that apply to all businesses regardless of their size or the types of data they handle.
The practical guidance offers five steps companies can take to ensure the security of the data they hold and provides examples to illustrate each step.
- Don’t collect personal information you don’t need – The less confidential information a company holds, the less risk a company faces in the event of a breach. According to the FTC, the old practice of stockpiling sensitive information when it isn’t required doesn’t hold water in the cyber era. Businesses should limit what data they collect to reduce security risks and streamline compliance procedures.
- Hold onto information only as long as you have a legitimate business need – Companies should regularly review the data they hold, assess which data should be maintained and carefully dispose of data that is no longer required to achieve a legitimate business need.
- Don’t use personal information when it is not necessary – Sensitive data should not be used in contexts that create unnecessary risks. For example, a company that wishes to set up an app for its sellers to access customer accounts should not provide actual account files of customers to explain the scope of the project to an app developer.
- Train your staff on your standards – And make sure they are following through. According to the FTC’s post, a company’s staff poses the greatest risk to the security of sensitive information in a company’s possession. At the same time, company staff also provide the number one defense against unauthorized access. Companies should train all staff, including temporary and seasonal workers, on standards to be upheld. Appropriate procedures to monitor staff compliance should be put in place as well. Additional training should be provided to existing staff to reinforce company rules, and companies should encourage employees to suggest ways of improving procedures.
- When feasible, offer consumers more secure choices – Companies should analyze their data collection practices for both business operations and products and services they offer to consumers. Products should be designed to collect sensitive information only if necessary for product functionality. Default settings and user set up interfaces should be designed in a way that make it easy for consumers to choose more secure settings and defaults should be set at more protective levels.
The FTC’s next blog post, to be published this Friday, August 4, will focus on sensibly controlling access to data.