used with permission from SBA.gov, by Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection
When it comes to data security, what’s reasonable will depend on the size and nature of your business and the kind of data you deal with. But certain principles apply across the board: Don’t collect sensitive information you don’t need. Protect the information you maintain. And train your staff to carry out your policies.
The FTC’s Start with Security initiative was built on those fundamentals. As we mentioned in last week’s introductory post, we’re calling this series Stick with Security because each blog post will offer a deeper dive into one of the ten principles discussed in Start with Security. Although the principles remain unchanged, we’ll use these posts – one every Friday for the next several months – to explore the lessons of law enforcement actions announced since Start with Security, to reflect on what businesses can learn from investigations that FTC staff ultimately closed, and to address experiences businesses have shared with us about how they implement Start with Security in their workplaces.
Don’t Collect Personal Information You Don’t Need
It’s a simple proposition: If you don’t ask for sensitive data in the first place, you won’t have to take steps to protect it. Of course, there will be data you must maintain, but the old habit of collecting confidential information “just because” doesn’t hold water in the cyber era.
There’s another advantage of collecting only what you need. A lean subset of confidential data is easier to protect than massive amounts of sensitive information stockpiled on networks and in file cabinets throughout your company. Businesses that sensibly limit what they collect have already reduced their security risks and streamlined their compliance procedures.
Example: A local garden center introduces a frequent buyer program. The application asks customers for a substantial amount of personal information, including Social Security numbers, and the garden center maintains the applications in its files. Because the store has no business reason to collect customers’ Social Security numbers, it’s taking an unnecessary risk by asking for that information in the first place and exacerbating that risk by keeping customers’ applications on file.
Example: A bakery sends customers a coupon for a free birthday muffin. Rather than maintaining a record of all customers’ dates of birth – information that could be combined with other data and used for unauthorized purposes – the bakery directs its cashiers to add only the customer’s name, email address, and birth month to the database. Although there are legitimate reasons why other businesses might need to retain a customer’s date of birth, the exact day, month, and year isn’t necessary for the bakery’s birthday promotion.
Example: A tire shop experiences a breach involving information about its 7000 customers. The data includes customers’ names, loyalty numbers for the shop, and the date of their last tire rotation. FTC staff decides not to pursue a law enforcement action because, among other factors, the company had made the sound decision not to collect sensitive information unnecessarily and had taken reasonable steps to secure its network in light of the limited information it maintained.
Hold Onto Information Only As Long As You Have a Legitimate Business Need.
Movie fans will remember the last scene of “Raiders of the Lost Ark” – a football field-sized warehouse stacked to the vaulted ceiling with everyday items piled alongside priceless treasures. That’s how data thieves view some businesses’ haphazard method for maintaining their networks and files. Security-conscious companies make it a practice to review the data in their possession periodically, assess what they should maintain, and securely dispose of what’s no longer needed.
Example: A large company attends recruiting fairs in cities around the country to attract professional talent. After each candidate completes an initial interview, the human resources personnel who staff the company’s booth enter information about the person on an unencrypted company laptop. Data entered by the HR staff includes the candidate’s resume, information regarding security clearance status, and the candidate’s salary demand. The same unencrypted laptop is used at every recruiting fair and the data of previous candidates is never removed. The company has likely missed critical opportunities to dispose of candidates’ sensitive information it no longer needed, including data from people it decided to not hire.
Don’t Use Personal Information When It’s Not Necessary.
Of course, there will be times when your business will need to use sensitive data, but don’t use it in contexts that create unnecessary risks.
Example: A company sells pet supplies through hundreds of sales representatives across the country. The company wants to hire a developer to design an app that sales representatives can use to access customer accounts. Those account files contain names, addresses, and financial information. To explain the scope of the project, the company sends interested app developers sample account files of actual customers. The more secure choice would have been to create mock files that don’t include sensitive customer information.
Train Your Staff On Your Standards – And Make Sure They’re Following Through.
What poses the greatest risk to the security of sensitive information in your company’s possession? And what’s your #1 defense against unauthorized access? The answer to both questions is your staff. Train new employees – including seasonal workers and temps – on the standards you expect them to uphold. Devise sensible monitoring procedures to make sure they’re complying with your rules. Because the nature of your business may change and threats will evolve, conduct “all hands on deck” refreshers to explain new policies and reinforce your company’s rules of the road.
Once you’ve educated your staff about the standards, deputize them to come forward with suggestions about improving your procedures. Encourage a collaborative process that takes advantage of everyone’s expertise. A C-suite executive may have great big-picture ideas, but if you’re looking for practical advice about protecting sensitive paperwork that people send to your company, consult the man in the mailroom, too.
Example: Before new employees are given network access, a company requires them to participate in in-house training. To encourage their attention, the presentation features brief interactive quizzes. In addition, the company includes security-related tips in its weekly email updates to all employees and periodically requires them to take refresher courses. By training its staff on how to handle sensitive data and reinforcing its policies with regular reminders and supplemental security education, the company has taken steps to encourage a culture of security.
Example: A company provides payroll services for small businesses. Once a month, a member of the IT staff is tasked with deactivating the network access and passwords of employees who have left the company within the past 30 days. The more secure practice would be to train the IT staff to block former employees’ access immediately upon their departure.
When Feasible, Offer Consumers More Secure Choices.
Think through your data collection practices both in the day-to-day operation of your business and in the products, services, apps, etc., you offer consumers. Design your products to collect sensitive information only if it’s necessary for functionality and clearly explain your practices to consumers up front. Consider how you can use default settings, set-up wizards, or toolbars to make it easier for users to make more secure choices. For example, if your product offers a range of privacy choices – from secure settings for less experienced users to advanced options for “black diamond” pros – set the out-of-the-box defaults at the more protective levels.
Example: A company manufactures a router that allows consumers to access documents on their home computers while they’re away from home. By default, the router gives anyone on the internet unauthenticated access to all the files on the connected storage devices attached to consumers’ routers, which may include financial data, health records, and other highly sensitive information. The product manual and set-up wizard don’t explain these defaults and don’t make it clear to users what’s going on. The company could have reduced the possibility of unauthorized access by configuring its default settings in a more secure fashion.