FTC Releases Security Advice Based on Data Security Settlements

By: Arieanna Schweber | 7/24/2015

The FTC recently released a business guide that summarizes compliance lessons learned from the more than 50 data security settlements to-date. Start with Security: A Guide for Business offers actionable data security tips based on real-life security incidents and subsequent law enforcement actions. Whether organizations are reading this brochure or are reading about a breach in the news, there are always “compliance nuggets,” as the FTC notes, that can be learned from.

start_with_security_coverThe FTC has distilled 10 common-sense lessons from the settlements it has reached:

  1. Start with security - factor the management & security of data into every decision, which in turn will dictate keeping less data from the start and over time
  2. Control access to data sensibly - restricting user access and administrative access
  3. Require secure passwords and authentication - while also not allowing employees to store passwords insecurely
  4. Store sensitive personal information securely and protect it during transmission - which is about managing data through its entire lifecycle and having a way to verify it’s protected (the vulnerability of encryption is addressed here)
  5. Segment your network and monitor who’s trying to get in and out
  6. Secure remote access to your network - which includes endpoint security, ensuring remote connections from employees and contractors are secure and logins cannot be exploited
  7. Apply sound security practices when developing new products
  8. Make sure your service providers implement reasonable security measures - which requires you to verify contractor compliance and also monitor for security incidents
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise - patching and prioritizing / responding to security vulnerabilities is key
  10. Secure paper, physical media, and devices - this duplicates the need for endpoint security, which is about securing data outside the corporate network

In addition to this guide, the FTC has amassed its growing resources on business security in a new microsite. This new landing page outlines case studies, reports, education, tutorials and up-to-date news as it relates to data security and FTC enforcement of data security incidents. As the FTC notes, its actions are based on the idea of “reasonableness,” where an organization’s data security measures must reasonably reflect the sensitivity and volume of data it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities.

At Absolute, we want to support your organization with technology solutions to make data protection easy. Solutions such as automated patch deployment with Absolute Manage and the persistent ability to monitor encryption status on the endpoint with Absolute Data & Device Security (DDS), are just some of the ways we can help. Learn more at Absolute.com

Compliance
Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada's first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.

All Posts By This Author
Related Articles
Sound Physicians Secures Devices and Protects PHI with Absolute Resilience
Randy Turer - 11/3/2020
- 1 min read
Absolute Software Guide to Understanding HIPAA Compliance
Absolute Team - 6/19/2020
- 4 min read
HIPAA Compliance Checklist for 2020
Neeraj Annachhatre - 3/5/2020
View Recent Articles
Financial Services