On August 18, 2017, the FTC published the fifth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Store sensitive personal information securely and protect it during transmission, outlines steps businesses can take to secure sensitive data, including when it is in transit.

The FTC’s reasonable protections include:

  • Keeping Sensitive Information Secure Throughout its Lifecycle: This involves knowing how sensitive data enters the business, moves within it and leaves the business. Once a business understands this roadmap, it is easier to implement security at every interval of data movement.
  • Use Industry-Tested and Accepted Methods: To ensure security, businesses should adopt industry-tested methods reflective of expert wisdom in the field. For example, a business that adopts tried and true encryption methods accepted by industry, and incorporates these methods into product development, acts more prudently than a business that uses its own proprietary method to obfuscate data.
  • Ensure Proper Configuration: When businesses choose to use strong encryption, they need to ensure they have configured it correctly. For example, a business using Transport Layer Security (“TLS”) must ensure the process to validate the TLS certificate is enabled. Following default recommendations likely will result in the correct set up, but businesses that change settings must ensure that they have the correct configuration.

The FTC’s next blog post, to be published on Friday, August 25, will focus on segmenting networks and monitoring who is trying to get in and out.

To read our previous posts documenting the series, see FTC Posts Fourth Blog in its “Stick with Security” Series, FTC Posts Third Blog in its “Stick with Security” Series and FTC Posts Second Blog in its “Stick with Security” Series.