FTC Fires Up Data Security Initiative, Releases Guidance for Businesses

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

June 30 — A new Federal Trade Commission initiative and guidance document aim to help businesses better protect consumers' information, the commission announced June 30.

In addition to the data security guidance, the “Start With Security” initiative includes a series of conferences and a “one-stop” data security website for businesses, the FTC said in a statement.

“Promoting good data security practices has long been a priority for the FTC,” Jessica Rich, director of the FTC’s Bureau of Consumer Protection, said in the statement. “The new Start with Security initiative shares lessons from the FTC’s 54 data security cases. Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.”

The first conference will take place Sept. 9 in San Francisco and will be co-sponsored by the University of California Hastings College of the Law. The second event is scheduled for Nov. 5 in Austin, Texas, and will be co-sponsored by the University of Texas Robert C. Strauss Center for International Security and Law.

The target audience for the first event will be small- and medium-size businesses, while the target audience for the second event includes start-ups and developers, the FTC said.

10 Recommended Steps

The business guidance includes 10 recommended steps for effective data security that the FTC said it drew from its own cases:

• starting with security;

• sensibly controlling access to data;

• requiring secure passwords and authentication;

• securely storing sensitive personal information and protecting it during transmission;

• segmenting networks and monitoring those trying to get in and out of the network;

• securing remote access;

• applying sound security practices to new products;

• ensuring that service providers implement reasonable security measures;

• establishing procedures to ensure security measures are current and to address any vulnerabilities; and

• securing paper, physical media and devices.


“The document is designed to provide an easy way for companies to understand the lessons learned from those previous cases,” the FTC said. “It includes references to the cases, as well as plain-language explanations of the security principles at play.”

The guidance “Start With Security: A Guide for Business” is available at https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.

The FTC's website on data security is at http://www.ftc.gov/datasecurity.