On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide).
The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:
- Start with security;
- Control access to data sensibly;
- Require secure passwords and authentication;
- Store sensitive personal information securely and protect it during transmission;
- Segment networks and monitor anyone trying to get in and out of them;
- Secure remote network access;
- Apply sound security practices when developing new products that collect personal information;
- Ensure that service providers implement reasonable security measures;
- Implement procedures to help ensure that security practices are current and address vulnerabilities; and
- Secure paper, physical media and devices that contain personal information.
The FTC also offers an online tutorial titled “Protecting Personal Information.”
We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.