The Federal Trade Commission recently wrapped up its Stick with Security blog series, which dove deeply into data security lessons based on agency cases, closed investigations, and questions and comments from businesses.
To recap the lessons of the 12-post series … The FTC emphasized three fundamental principles for effective data security: “(1) Collect sensitive information only if you have a legitimate business need; (2) Keep it safe while it’s in your possession; and (3) Dispose of it securely when that business need ends.”
Many businesses ask the FTC for a list of what to do in order to satisfy their data security obligations, Acting Director of the FTC’s Bureau of Consumer Protection Thomas Pahl noted.
“Unfortunately, data security can’t be boiled down to a one-and-done checklist,” he wrote. “What’s reasonable depends on the circumstances—for example, the nature of your business and the sensitivity of the information you must collect and maintain—so there’s no one-size-fits-all approach. In addition, data thieves’ tactics are constantly evolving. Last year’s precautions may not protect your company from tomorrow’s threats.”
To help businesses keep on top of their continually changing data security responsibilities, the FTC referred companies to a host of resources.
A major source of information: The more than 60 FTC actions alleging that companies engaged in deceptive or unfair practices related to data security. “Wise businesses understand that every FTC action offers an across-the-board insight,” according to the blog post. “Short-sighted businesses may just breathe a sigh of relief that it didn’t happen to them. Security-conscious companies review the complaints and consider how to incorporate those compliance nuggets into their own procedures, including in-house training.”
In addition, the FTC provided “a suite of publications” written to maximize practical advice for businesses, as well as short videos on various data security topics, including one for each of the ten Start with Security principles that formed the basis of the blog series. The FTC has also crafted some industry-specific publications for companies that buy and sell consumer debt, a guide about building security into connected products, and a list of resources geared to small businesses.
To read the FTC’s blog post, click here.
Why it matters: In the final blog post of its Stick with Security series, the FTC encouraged companies to stay focused on data security, and reiterated the overarching principles that sensitive data should be collected only when there is a legitimate business need, kept safe while in the company’s possession and disposed of securely when the need ends, on a business-specific basis.