On the occasion of the Federal Trade Commission’s (FTC) 50th data security settlement, it issued a statement, giving businesses guidelines for their data security practices.
Under Section 5 of the Federal Trade Commission Act (FTCA), the FTC must protect consumers from “deceptive and unfair” commercial practices in the economic sectors under its jurisdiction. One of those deceptive or unfair practices is the lack of data security to protect a wide variety of sensitive consumer data, such as social security numbers, health data etc… Over the years since its first settlement in 2002, the FTC has developed certain principles.
The FTC’s standard for appropriate data security is “reasonableness”, which is a flexible standard that varies according to a.o. the sensitivity of the data or the size and complexity of the business. In other words, the security requirements of a large financial institution will be greater than the security requirements of a small grocery store.
Despite the fact that the FTC allows for such elasticity in the application of appropriate security standards, it proposes five basic data security practices that should be followed by every business:
- Data Mapping: Know what data the company has, where it is and who has access to it. This knowledge will help expose possible vulnerabilities.
- Data Minimization: A company should only collect and retain data that it really needs for its legitimate business purposes. (eg. no need to retain pin numbers of payment cards after the payment has been made).
- Risk assessment and remediation in key areas: physical security, electronic security, employee training, and vendor oversight.
- Secure Disposal: Once data is not needed anymore, make sure to dispose of it in a secure fashion. (eg. once paper files are not needed anymore, don’t throw them in a garbage dump. Shred them instead).
- Security Breach Preparedness: Companies should have a plan in place to respond to security incidents.
