Is the FTC Data Security Message Reaching Startups?

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Paul Stinson

Nov. 18 — Federal regulators may need to tailor their data security expectations when it comes to technology startups, entrepreneurs and startup executives say.

Although startups appreciate the Federal Trade Commission's attempts to raise data security consciousness among the new tech company set, the FTC could better emphasize that a reasonable data security standard is proportional based in part on the size and resources of a business, they said.

FTC Commissioner Terrell McSweeny recently told a gathering of startups in Austin, Texas that data security should be seen as a journey to reasonable security practices rather than a destination, prompting a mixture of acceptance and concern from audience members as to whether data security expectations of Silicon Valley businesses would be applied by the FTC to companies just emerging from Austin's tech incubator environment.


What Is Reasonable Security?

“I think you’ll hear FTC attorneys say that our standard here is not perfect security but reasonable security,” McSweeny said.

“We recognize that you can have the best practices in place and still suffer a hacker attack and breech, so again the standard here is for reasonable security, best practices and trying to do the right thing and being responsive to a highly dynamic environment,” she told attendees.

On the sidelines of the conference, McSweeny told Bloomberg BNA that “reasonable security is not perfect security but it is engaging in processes to identify threats, to address vulnerabilities to avoid really unreasonable practices.”

The commissioner gave examples of unreasonable practices to guard against as gateways to unnecessary vulnerabilities, including storage of passwords in a folder marked ‘passwords’ or giving every employee in a large organization administrative access. “If you have personally identifiable information about people and customers, and you are selling your old hard drives make sure you take the PII off the hard drives before you sell them into a secondary market!” McSweeny said.

For a reasonable data security standard “we need to have a different expectation built in for the startup.”

Mona Rao, Director of Information Security,
Umbel, Austin, Texas

“Those types of things that seem like common sense, you don’t have to be a security expert to understand it’s really necessary to protect the data that you have,” she said.

Just how responsive that standard is to the challenges associated with being a tech startup versus being an established company remains unclear and a lingering area of concern, members of Austin’s tech community told Bloomberg BNA.

Nuanced Approach Needed.

Mona Rao, director of information security at Umbel, an Austin-based data management platform, called for a more nuanced definition and a sense of proportionality in executing data security that is tailored to fit, rather than using a one-size-fits-all approach.

For data security, “we need to have a different expectation built in for the startup,” she told Bloomberg BNA on the sidelines of the meeting following the commissioner’s opening remarks.

The FTC's focus on security is a good approach, “but we need to customize the approach and we need to tailor the approach to be a voice for companies that are just starting out,” Rao said.

The journey to security described by McSweeny “has to be defined in some way for startups and marked by revenue or maybe number of people, years you’ve been in existence,” she said.

The FTC should give a better sense of what it is startup can do to show progress if it wants to “do the right thing” and has the right intentions and has gone to lengths to put the correct personal in place and build an accountability structure, Rao said.

Right-Sizing Security Guidance.

The FTC's message of investing in security at a company’s early stage is starting to get through and echoes what the tech community is saying, Matt Johansen, director of security at Austin-based financial tech startup Honest Dollar, told Bloomberg BNA.

The FTC is emphasizing good ideas, such as building a security culture, gaining buy-in from management of security development and implementing a secure development lifecycle, Johansen, who participated on a panel at the conference, said.

“As far as the platform goes or any real security guidance platform—whether it’s the FTC or any of the others—you have to boil it down to its core principles and adopt it to whatever your organization is,” he said.

“I can’t give you advice if you didn’t tell me what even kind of company or size company you’re working with—I can’t give you blanket security advice that’s going to work for you,” Johansen said..

That advice is going to be “way different” for an organization “that pushes code out once a month” versus an “organization that pushes code out thirty times a day,” said Johansen. They are completely different companies that need differentsecurity advice, he said.

Rao agreed a nuanced approach that takes size into account is essential. “It could have been a different message if you’re sitting in California in Silicon Valley” but “if you’re sitting here in Austin for a company that is just starting out, if themessage is for startups then the conversation has to be proportionate to that,” she said.

A startup should be “measured by the same stick that Facebook and Microsoft” on data security. If the big companies are getting penalized and fined for, there is just no comparison.”

“Proportional is what I’m looking for,” Rao said.