FTC-Recommended Best Practices for Cybersecurity from Inside and Outside Your Business

By Kimberly E. Diamond, Paul M. Gelb and Katherine E. Armstrong

The Federal Trade Commission (FTC) is the U.S. government agency charged to protect consumers against fraud as well as deceptive and unfair practices in the marketplace. The FTC has used this authority to bring more than 100 privacy and data security actions. Drawing on these actions, the FTC has enunciated best practices, which the Third Circuit referenced in F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), as providing fair notice of what the FTC finds to be good data management.

Accordingly, the FTC has recommended the following best practices based on lessons learned from actions it has brought against companies in cybersecurity and data breach cases. The steps mentioned below are important, are relatively basic, and can usually be implemented without placing a great burden on the company itself.

From the Inside: 3 Smart Steps for Managing Data Collection, Retention, and Use

Data management and data security is the first step in dealing with customers’ personally identifiable information and other proprietary information. Companies need to streamline and make smart choices about the type of data they collect. They also need to implement and review their data retention policies regarding how long certain data is kept and limit who can use and access to the data.

1. Data Collection – Don’t Be a Data Harvesting Magnet

No longer is it either prudent or recommended to keep personal information “just because.” Today, storing information needs to be carefully conducted and data needs to be treated like an asset. For this reason, a business should only collect personal data from others that it actually needs, not extraneous confidential information.

1. Data Retention – Only Preserve for Legitimate Business Needs

If the legitimate business need to retain confidential information no longer exists, then it might be better to dispose properly of such information. Retaining unnecessary personal information can create an unreasonable risk for a company’s customers, placing the company at greater risk. For instance, if hackers successfully infiltrate the company’s computer system, they may steal and use this confidential information to the customers’ detriment. Indeed, all 50 states have enacted legislation requiring any business or governmental agency to notify individuals of data breaches that involve personally identifiable information.  Moreover, depending on the circumstances, the customers whose information was stolen can then potentially bring a lawsuit against the company.

1. Limit Use and Access – Restrict to Those Who “Need to Know”

Exercise diligence and caution regarding which of your staff members can use or access personal confidential information of others. If your company retains confidential information in paper files, implement controls regarding where and how these files are stored, as well as which employees may access such information. Safeguarding hard copies of confidential information and controlling access to them can potentially prevent documents from inadvertently winding up in the hands of unauthorized third parties. For electronic data, restrict administrative access so that only certain employees have the ability to access and modify parameters of certain databases, including those databases containing passwords or other sensitive customer or employee information and credentials.

From the Outside – 3 Smart Steps for Dealings with Third Party Service Providers

While engaging with service providers may be necessary for a business, having them expose your business to additional risk is not. By requiring these third parties to agree to certain contractual provisions regarding data security, following up to ensure compliance with those provisions, and being prudent about allowing these third parties to have access to your company’s computer network, your business may reduce its risk for data breaches and theft.

1. Contracts – Include Provisions Requiring Reasonable Security Precautions

Failure to contractually obligate a third party service provider to use or adopt reasonable security precautions, such as data encryption, may put your business at risk. Any files containing confidential information that your business provides to these third parties could be vulnerable. Ensure that your business’s contracts with third parties contain language requiring that certain reasonable precautions are taken to safeguard confidential information, or engage a lawyer to help your company develop a standard form of confidentiality agreement your business can distribute to those receiving confidential information.

1. Follow-Up on Contractually Agreed-Upon Measures

Third party service providers may lull you into a sense of false confidence by encouraging your business to take their word that they have followed through on contractually agreed-upon measures. A better approach is to be vigilant and build an oversight element into the security implementation process. You can do this by inquiring with the service provider to verify that certain agreed-upon measures have been implemented and are working in the manner sought, even if this third party already has an existing privacy and security policy.

1. Keep Security Current to Control Who May Access Your Computer Network

Carefully monitor any third parties who know how to access your computer network, including former employees or consultants hired to conduct a discreet task on your network whose access rights to your company’s computer network have not been deactivated for whatever reason. If providing access to a third party is necessary, grant the third party limited, temporary access to

your business’s computer system, or to restrict the third party’s ability to connect to only the portion of your system necessary for them to complete their task.

Implementing practices mentioned in this FTC guidance will enable your business to become more resilient against cybersecurity breaches. Following these guidelines may help your company to better protect confidential information on its computer system and avoid the consequences that other companies have learned the hard way.

Kim Diamond

Kimberly E. Diamond is an Adjunct Professor of Energy Law at Fordham Law School in New York City with 20 years of business transactional experience whose area of concentration is renewable energy law and smart cities development. She is Chief Executive Officer of Boaz Energy Group, specializing in risk management, cyber liability, and data security insurance. She can be reached at kdiamond2@fordham.edu.

Paul Gelb

Paul M. Gelb has litigated for 20 years and provides legal representation in the areas of real estate, data use and privacy, technology transactions and e-commerce. Mr. Gelb is Counsel in the Los Angeles office of Drinker Biddle & Reath LLP. He can be reached at paul.gelb@dbr.com.

Katherine Armstrong

Katherine E. Armstrong advises clients on potential privacy and security risks raised by U.S. federal and state privacy laws and on advertising and marketing practices regulated by the Federal Trade Commission (FTC). She brings to her practice over 30 years of consumer protection law enforcement and policy experience from the FTC. She can be reached at katherine.armstrong@dbr.com.

This article is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem