Data Security Standards in a Post-Wyndham v. FTC World

Image

The Federal Trade Commission (“FTC”) can now sue a company for failing to adequately protect client data. Let that sink in for a moment. In short, the recent court ruling confirmed the FTC’s authority to create, impose, and enforce data security rules on virtually any business that holds consumer data.

QUICK BACKGROUND

On August 24, 2015, the US Court of Appeals ruled that the FTC has the authority to sue Wyndham for its alleged failure to protect consumer data stemming from three hacking incidents between 2008-2009. The outcome of this case represents a sea change in how companies must protect consumer data because there are now potentially serious legal and fiscal ramifications if a company fails to provide that protection. Tripwire Senior Security Analyst Ken Westin said it succinctly:

“The important message from the FTC  here is that businesses can be held accountable with regards to their privacy policies and claims regarding the security and privacy of customer data. This decision will give the FTC more teeth to go after businesses who make claims with regards to security and privacy, but either through discovery or a breach it is revealed that they failed to deliver on these claims.”

With this in mind, the question on everyone’s mind should be, what do I have to do to avoid getting sued by the FTC when my client’s data is breached?

Foundations of the ftc’s standard of care

Fortunately for us, in June 2015 the FTC broke ground and set forth data security guidelines: “Start with Security: A Guide for Business.” This document details the ten most important data security lessons a business must heed, all drawn from the FTC’s 50+ data security settlements. Here is a quick primer on the ten lessons covered by the FTC.

1. Start with Security – Evaluate every decision with an eye towards security. The value of Security Impact Assessments cannot be stressed enough. Pay particular attention to: only collect data you need; only retain data you need (or have legal duty to retain); and only use data when necessary.
2. Control Access to Data Sensibly – Three words: “Need to Know.” Evaluate your data and restrict access to sensitive data to those who actually Need to Know for their job function. This also applies to administrative access. Blanket data security policies fail, but group level data security policies can be a good method to controlling access.
3. Require Secure Passwords and Authentication – Passwords must actually serve as a form of individual authentication that is complex, unique, and cannot be bypassed. On the IT side, passwords must be stored securely and have an automatic lockout after unsuccessful attempts.
4. Store Sensitive Personal Information Securely and Protect it During Transmission – A core element of protecting your client’s data is industry standard, properly configured encryption throughout the lifecycle of sensitive data. Not sure on how, what or why encryption works? See Here, for a primer.
5. Segment Your Network and Monitor Who’s Trying to Get In and Out – This one is very basic, but particularly on point given the recent court case. Segment your network, break it up, and separate your internal networks so that a zero-day vulnerability in one area or a an intrusion, does not grant unfettered access in another. In tandem with that, monitor your network for traffic, spikes in usage, etc.
6. Secure Remote Access to Your Network – Every company employs remote workers, or at the very least, people who are routinely out of the office. Ensure those individuals have strong endpoint security (anti-virus, spyware, firewalls, and hardened routers) and enforce reasonable access limits on those remote users. Complete administrative access for a remote user is typically a recipe for disaster.
7. Apply Sound Security Practices When Developing New Products – This lesson focuses on the principles of secure coding such as testing and verifying features (i.e. does laptop camera actually turn off when light is off) and bug testing for common vulnerabilities. The key focus here is using industry standard methods and practices when creating and deploying products.
8. Make Sure Your Service Providers Implement Reasonable Security Measures – Know who you work with and know the security measures they have in place to protect your clients’ data. At the end of the day, trust, but verify.
9. Put Procedures in Place to Keep Your Security Current and Address Vulnerabilities that May Arise – Patch your software, patch your equipment, stay up to date on new threats as they develop, and most importantly, react with speed to fix problems.
10. Secure Paper, Physical Media, Devices – In a perfect world, no one would use paper. Unfortunately, we do not live in that world yet. First, for those things that must be stored as a paper file, it should be secured in a truly secure room and not left in or on: cars; briefcases, desks, homes, fax machines, or break rooms. Next, if your clients enter data on a device, secure it from theft and tampering. Third, when your data is in transit, use insured and bonded transportation services. The back seat of the mail room guy’s car is not an appropriate place to transport sensitive information. Finally, destroy your data correctly, thoroughly, and leave no doubt that the destruction is complete.

The above lessons will serve as the foundation of the data standard of care expected by the FTC as it moves forward with its new mandate on security. While, many of these lessons seem like common sense, I will wager that if you ran through these internally, at least one issue would flag. Remember, its not enough to have data security policies in place, you must verify their application, implementation, and adherence. Now is the time to get your IT and legal departments at the table and audit your data security policies and procedures with an eye towards the FTC’s ten lessons. Prepare now, or get sued later.

Image

About the Author: Hudson Harris, CIPM, is Chief Privacy Officer and Associate General Counsel at a company based in St. Louis, Missouri, that focuses on software design and mental healthcare. He spent eight years in network administration before obtaining his MBA/MA and law degree. He now writes on the intersection of Technology, Business, and Legal centered issues at legallevity.com and @legallevity. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}