Start With Security

321 views
1

By Jessica Rich, Director, Federal Trade Commission Bureau of Consumer Protection

New tools from the FTC can help your company do better business through improved data security.

If there is one thing that is certain about the future of business, it’s that it will involve a connected world. This means data security will be more important than ever. Fortunately, the Federal Trade Commission (FTC) has two new tools that can help your business navigate the connected world of the future, “Start with Security: A Guide for Business” and IdentityTheft.gov.

How can these new tools make a business better? Start with Security can help businesses build security into every project from the start and, if something goes wrong, IdentityTheft.gov can put businesses, their customers, and employees more quickly on the path to recovery.

What is Start with Security?

Start with Security: A Guide for Business is a collection of information-based materials that summarize lessons learned from the more than 50 data security cases the FTC has announced to date. The collection’s 10 common-sense data security lessons apply to businesses of all sizes in all sectors. Consider this example:

A company failed to restrict employee access to personal information stored in paper files and on its network. As a result, a group of rogue employees transferred more than 7,000 consumer files containing sensitive information to third parties without authorization.

The lesson for other businesses? Implement proper controls and ensure only authorized employees with a business need have access to people’s personal information. That’s just one of many FTC cases highlighted.

Learning about alleged lapses that led to FTC law enforcement action can help businesses improve practices that might lead to a security breach. Most of the FTC’s data security cases have involved basic, fundamental security missteps. Distilling the facts of these cases to their essence, Start with Security touches on vulnerabilities that could affect any business. For each lesson, the FTC offers practical tips about how to reduce these risks.

Here’s a glimpse of what’s inside:  

Lesson 1  “Start with security” covers foundational principles such as don’t collect personal information you don’t need; hold onto information only as long as you have a legitimate business need; and don’t use personal information when it’s not necessary.

Lesson 2 “Control access to data sensibly” addresses the importance of restricting access to sensitive data based on a “need-to-know” basis. This is to help protect companies from breaches caused by their own employees.

Lesson 3 “Require secure passwords and authentication” explains the importance of requiring complex and unique passwords, then storing those passwords securely. The lesson also addresses guarding against brute force attacks by suspending or disabling user credentials after a certain number of unsuccessful login attempts.

In addition, the guide covers issues such as network segmentation, securing remote access to a network, monitoring service providers and safeguarding paper, physical media and devices. The complete guide is available at ftc.gov/startwithsecurity.

But Start with Security is more than just a guide, it’s a robust business education initiative, which also includes videos and events. For each of the guide’s 10 lessons, the FTC has created a brief video to explain the principles in simple terms that everyone in your company can understand.

To spread the word about Start with Security, the FTC is taking it on the road. Conferences have already been held for businesses and start-ups in San Francisco, Austin, and Seattle, and more are planned for Chicago and other cities. Participating in these events is a great way to learn more about data security from experts in the field — and to share your knowledge with other businesses. For information about upcoming events, visit ftc.gov/startwithsecurity.

How can your business use Start with Security?

Start with Security helps put companies on the road to sound data security. There are many ways a business can use Start with Security to build and enhance data security programs.

Use the lessons. First and foremost, businesses should take to heart and implement the guide’s recommended practices into data security programs. Why learn from your own mistakes when you can learn from other companies’ experiences?

Train staff. A big part of a strong data security program is well-trained staff. For example, employees need to know how to create strong passwords and how to securely transmit personal information in this connected world. Think about distributing the Start with Security guide to all employees or showing the videos at staff meetings. Visit

ftc.gov/startwithsecurity to order free copies of the guide and find the videos.

Share with your community. Better Business Bureau (BBB) and National Cybersecurity Alliance (NCSA) have been using the Start with Security materials during their Two Steps Ahead: Protect Your Digital Life Tour. Your business can do the same. All FTC materials are in the public domain and can be used freely. Feature them in industry presentations or share them with your social networks. Show that your business takes data security seriously — it makes good business sense.

What is IdentityTheft.gov?

IdentityTheft.gov is the government’s one-stop resource for reporting and recovering from identity theft. It lets victims file identity theft complaints with the FTC and receive a personal, interactive recovery plan that:

  • Walks them through each step of the recovery process;
  • Provides follow-up reminders;
  • Helps them track their recovery progress; and
  • Generates customized letters, affidavits, and forms to send to creditors, debt collectors, credit reporting agencies and the IRS.

IdentityTheft.gov offers tailored recovery plans for more than 30 types of identity theft. And, it’s available in Spanish, too, at RobodeIdentidad.gov.

IdentityTheft.gov also includes information for data breach victims whose information has been exposed but has not yet been misused. The advice given varies depending on the type of information exposed. For example, if credit card data is exposed, victims are advised to contact the credit reporting agencies. If Social Security numbers are exposed, steps are offered to protect against tax-related identity theft.

How can IdentityTheft.gov be used?

How can IdentityTheft.gov help? It can be a valuable tool in a variety of situations — after a data breach, if a customer calls about unauthorized charges, if the IRS contacts you about a suspicious tax form or even if one of your employees is a victim of identity theft. Consider these steps that can be taken to spread the word to your employees, your customers, and your community:

Tell employees about IdentityTheft.gov. You could send a company-wide email with the FTC’s short video about the site. Or assign a trusted member of your team to talk to employees about identity theft prevention and recovery. Victims of identity theft can spend hours on the phone and online trying to get accurate information. Put your employees on the fast lane to recovery by letting them know about IdentityTheft.gov. Then, they can more quickly get back to their work of helping your business grow.

Tell your customers about IdentityTheft.gov. If your business suffers a data breach, include IdentityTheft.gov as a resource in your breach notification letter and on your website. Even if you never have a data breach, IdentityTheft.gov can be a useful tool for your customers. For example, think about your business’ protocols for working with customers who call about unauthorized charges or accounts. Consider adding the simple step of mentioning IdentityTheft.gov, as part of those protocols. Using IdentityTheft.gov may help your business change a distraught consumer into a loyal customer.

Tell your community about IdentityTheft.gov. We all know someone who has been a victim of identity theft. That’s why identity theft prevention and recovery can be an excellent outreach project for your business or your industry association. You can order free materials, including an IdentityTheft.gov bookmark to distribute at community events. Visit bulkorder.ftc.gov to place an order. All of the FTC’s materials are free and in the public domain. IdentityTheft.gov offers a low cost/high impact way to reach out to your community. 

Interested in learning more about the FTC’s resources for businesses?

Then sign up for the FTC business blog.  It’s the best way to learn about new FTC cases, events and developments that may affect your business. Visit ftc.gov/business to sign up and view all FTC materials for businesses.

Now that you know about Start with Security and IdentityTheft.gov, spread the word. Why? Because it’s good business — for you, your customers, your employees and your community — now, and in the future.

Jessica L. Rich was appointed the Director of the FTC’s Bureau of Consumer Protection (BCP) by Chairwoman Edith Ramirez on June 17, 2013. She oversees Commission attorneys, investigators and administrative personnel working to protect consumers from deceptive and unfair practices in the commercial marketplace. Rich joined the FTC as a staff attorney more than 25 years ago and has also developed a number of significant FTC rules.