In our Stick with Security blog series, we’ve done our best to dive deeper into data security by focusing on the lessons learned from recent cases, insights from closed investigations, and the questions and comments we’ve received from businesses. One remark we’ve heard from companies that want to implement the lessons of Start with Security is “Just give us a list of what to do.” Unfortunately, data security can’t be boiled down to a one-and-done checklist. What’s reasonable depends on the circumstances – for example, the nature of your business and the sensitivity of the information you must collect and maintain – so there’s no one-size-fits-all approach. In addition, data thieves’ tactics are constantly evolving. Last year’s precautions may not protect your company from tomorrow’s threats.
That said, the fundamental principles for effective data security remain constant: 1) Collect sensitive information only if you have a legitimate business need; 2) Keep it safe while it’s in your possession; and 3) Dispose of it securely when that business need ends.
“How do we put those principles in place at our business?” That’s another question we’ve heard. The FTC has resources – lots of them – to make that task easier. Our Data Security page, which features links to workshops, staff reports, closing letters, and more, collects relevant guidance in one bookmark-worthy place. Here are just some of the resources you’ll find there:
FTC cases. To date, the FTC has filed more than 60 actions alleging that companies engaged in deceptive or unfair practices related to data security. Most of those matters have settled with court-enforceable orders. Of course, the complaints and orders apply just to those companies, but wise businesses understand that every FTC action offers an across-the-board insight. For example, the FTC has brought a number of cases against companies whose employees failed to secure sensitive data in their possession when they were outside the office. Short-sighted businesses may just breathe a sigh of relief that it didn’t happen to them. Security-conscious companies review the complaints and consider how to incorporate those compliance nuggets into their own procedures, including in-house training.
For busy executives, an FTC pleading may seem to start slow. But here’s a tip to make better use of your time: The opening paragraphs of most complaints usually recap the parties involved. The relevant stuff – an explanation of what the company did (or didn’t do) that led to law enforcement – usually appears in a section headed Respondent’s Course of Conduct, Defendant’s Business Activities, or something like that. Toward the end, you’ll find one or more specific allegations of the conduct the FTC believes violated the law. Furthermore, the order in a case spells out what the company must do to reduce the risk of similar violations in the future. Like the complaint, the order applies just to the company in question. But many businesses use it as a rough guide of prudent steps to consider.
Brochures for business. The FTC has a suite of publications written to minimize the legal jargon and maximize the practical advice for businesses. Three titles should be on the must-read list for any company concerned about data security. Share the links with your staff or order free copies from the FTC’s bulk order site.
- Where to start. Protecting Personal Information: A Guide for Business is a primer on creating a data security plan for your company. Built on five fundamentals – Take stock, Scale down, Lock it, Pitch it, and Plan ahead – Protecting Personal Information offers a nuts-and-bolts approach applicable to any business.
- For more detail. Start with Security looks at FTC law enforcement actions and distills the cases down to 10 compliance lessons. (Our Stick with Security blog series focuses on those same 10 lessons, but also factors in recent cases, closed investigations, and questions and comments we’ve heard from businesses.)
- In case a breach happens. Data Breach Response addresses the steps to take if a breach has occurred. Experienced executives will tell you the best time to read it is before you need it.
Videos. When you’re really pressed for time, the FTC has short videos that distill data security down to the basics. We have a video to accompany each of the 10 Start with Security principles and another one about using Start with Security resources at your business. Among the dozens of other titles are videos about defending against ransomware, using email authentication to fight back against phishing, responding if your business is impersonated in a phishing scam, and aligning the FTC’s data security work with NIST’s Cybersecurity Framework. Consider incorporating them into in-house training or showing them at your next staff meeting. It’s a 3-minute investment that could pay dividends in the form of a more security-conscious workforce.
Brochures for specific business audiences. Our Data Security page also features to-the-point titles and links for certain market sectors. Developing a health-related mobile app? The FTC has a best-practices publication and an interactive tool. For businesses involved in the Internet of Things, there’s Careful Connections, a guide about building security into connected products. We also have FAQs about reducing the risk of medical identity theft, a security-centric publication for companies that buy and sell consumer debt, resources for companies covered by the Gramm-Leach-Bliley Act’s Safeguards Rule – and much more. Chances are there is a publication relevant to your line of work.
Resources for small businesses. For solo entrepreneurs or companies with just a few employees, the FTC’s Small Business site features resources written with you in mind. Small Business Computer Security Basics breaks it down with just-the-facts guidance about protecting your files and devices, safeguarding your wireless network, and responding if you’ve been the target of malware or a hack attack.
Blog posts. Almost every FTC case announcement is accompanied by two blog posts. The Consumer Blog translates security-related developments into actionable advice for members of the public. The Business Blog focuses on what FTC law enforcement and policy initiatives mean for your company. To date, more than 200 posts – about 20% of the total – have focused on data security, with many offering specific takeaway tips for companies. Subscribe from our Stay Connected page and the Business Blog will automatically arrive in your emailbox.
This is the last post in our Stick with Security series, but it won’t be the last you hear from FTC staff about practical guidance for your company. Let us know about other security-related topics you’d like us to cover.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.