Savvy business people are looking for ways to minimize their company’s risk of a data breach. Many businesses review FTC complaints and orders, each of which contains detailed descriptions of alleged violations of the FTC Act. Perhaps this goes against the company’s pledged caution in handling consumers’ sensitive data. In other cases, this may be a failure mode that, combined, can lead to the theft and misuse of confidential customer information.
But that’s not the only way to understand our approach to data security. FTC press releases, business guidance publications, videos, speeches, seminars, reports, more than 150 security-focused business blog posts, and other communications provide practical advice on how the FTC Act applies to data security. One particularly useful source of information is Start with Security, our nuts-and-bolts manual that boils down lessons learned from FTC cases into 10 manageable basic principles that apply to companies of any size.
Businesses have asked us to continue to provide guidance, which is why we are announcing a new initiative, Stay safe. Over the next few months, we will publish a business blog post every Friday focusing on 10 principles for starting with safety. This time, we’ll use a series of assumptions to take a closer look at the steps companies can take to protect the sensitive material in their possession. We’ll provide easy-to-apply tips to help your company not only start with security, but stick with it to strengthen your defenses.
where do we get ours Stay safe example? First, there are more than 60 complaints and orders from the FTC, including new settlements and lawsuits announced since the release of Start Safe.
Another great source of our Stay safe The experience of companies across the country is an example. We heard about the daily challenges you face protecting sensitive information and learned from the practical approaches you take to solve your data security challenges.
Additionally, lessons can be learned from investigations that staff conclude without further action. While we do not disclose the identities of the targets of these matters unless there is a public closing letter, we feel we can do more to explain to other companies the general principles that guide our thinking when we decide to close these investigations.
An initial question we often get from businesses is whether there are recurring themes in investigations that ultimately end without enforcement. One thing we noticed is that the practices of these companies are generally consistent with the common-sense security fundamentals from Start with Security. For example, these companies often have effective procedures in place to train employees, secure sensitive information, address vulnerabilities, and respond quickly to new threats.
Here are some additional topics that emerged to give you insight into why investigations into violations you may have heard about may not necessarily result in FTC enforcement:
- There’s more (or less) to the story than meets the eye.
Just like you, FTC staff read the news. We see stories all the time about data breaches and potential vulnerabilities. But news reports are only the beginning of a potential investigation, and sometimes we learn more about the story than initially reported. For example, news reports may draw attention to a data breach but not the fact that the data was encrypted—a factor that greatly reduces the risk of harm to consumers. Or maybe a so-called insider claims that a company doesn’t handle old consumer data securely, but the company provides us with credible evidence that it does. Therefore, in some cases, there may be smoke, but further investigation shows there is no fire. - Going any further would not be a good use of resources.
We like to think of the FTC as a small federal agency that, under the right circumstances, can wield significant enforcement power. But we are always aware of the need to be good stewards of taxpayer dollars. Sometimes a company’s practices may raise initial concerns, but there are other factors that indicate enforcement is not in the public interest. For example, in some cases, small businesses may collect small amounts of non-sensitive information. In this case, if a breach occurred, we would be unlikely to expend our limited resources investigating it. - We are not the right agency.
Given that the Federal Trade Commission has broad jurisdiction over most business practices, we are the chief police officers of data security. But we’re not the only police. Therefore, we work closely with other agencies with relevant mandates, including the Department of Justice, Department of Health and Human Services, Consumer Financial Protection Bureau, Federal Communications Commission, and National Highway Traffic Safety Administration, among others. Sometimes, the alleged incident or practice is better suited to another law enforcement officer. If this is the case, we may refer the matter to another agency and provide any assistance we are permitted by law to provide. This is just one of the ways we avoid duplication, streamline investigations and ensure a consistent approach to data security. - Data risks are theoretical.
Over the past few years, we have seen an increase in researchers focusing on privacy and security issues. We welcome this development. We focus on the latest research, including research published at PrivacyCon and elsewhere, to understand emerging technologies and identify investigative practices. But not all research leads to enforcement. Sometimes, when researchers bring vulnerability-creating practices to our attention, the risk of exploiting a vulnerability to cause consumer harm is more theoretical than possible. For example, there may be vulnerabilities in mobile devices that require highly sophisticated tools to exploit, and even then, data may only be compromised if a hacker has the consumer’s phone in their hands. If this is the case, we are more likely to abandon the investigation rather than continue.
Next article in the Stay Safe series: First steps starting with security
