FTC Settlement Drives Companies to Strengthen Data Security MeasuresNovember 02, 2017
In light of a recent settlement with Uber, the Federal Trade Commission has released 10 data security recommendations for all businesses.
As cybersecurity awareness month winds down, it’s a good time for businesses to reflect on their data security measures. Here’s a recent case that reminds owners and managers why it’s critical to stay one step ahead of cybercriminals.
Case in Point
In 2014, the Federal Trade Commission (FTC) filed a complaint against Uber, alleging that rider-sharing company’s IT system wasn’t designed or staffed to effectively monitor and secure consumer data. The FTC also claimed that Uber:
- Allowed employees to access its cloud storage with a single access key that provided full administrative privileges over rider and driver data,
- Failed to restrict access based on employees’ job functions,
- Failed to require multifactor authentication for access, and
- Stored sensitive information in unencrypted text.
An employee allegedly shared the access key to Uber’s cloud storage system on the Internet — and a hacker used it to access the personal data of approximately 100,000 Uber drivers.
In August, the FTC announced a settlement, which prohibits Uber from misrepresenting its privacy and security practices. It also requires Uber to put a comprehensive privacy program in place and obtain third-party audits every two years for the next 20 years.
10 Steps to More Secure Data
This high-profile settlement teaches a valuable lesson: Consumers expect all businesses — large and small, virtual and brick-and-mortar — to secure data and fulfill their data security promises.
How can you take data security to the next level? The FTC recommends that businesses consider these 10 steps:
- Start with security. When asking for consumer data, collect only the data you need and keep it for only as long as needed.
- Control access to data sensibly. Access to data should be limited to employees who need the information or administrative privileges to perform their job functions.
- Require secure passwords and authentication. It’s also important to safeguard systems against common “back door” vulnerabilities and hacking software that tests multiple password combinations.
- Store sensitive personal information securely and protect it during transmission. Sensitive data should be secured throughout its lifecycle (including disposal) using industry-tested and accepted encryption algorithms that are properly configured.
- Segment your network and monitor who’s trying to get in and out. Tools like firewalls can limit data sharing with users inside and outside your network.
- Secure remote access to your network. A mobile workforce creates opportunities and risks. Cybersecurity measures need to address remote access points, such as employees’ home networks and smart devices.
- Apply sound security practices when developing new products. When engineers design a new app or innovative software, use secure coding, follow platform security guidelines, and verify the effectiveness of privacy and security features against common vulnerabilities.
- Make sure your service providers implement reasonable security measures. Data security measures are only as strong as the weakest link in your supply chain.
- Implement procedures to keep your security current and address vulnerabilities that may arise. Data security isn’t a one-and-done deal. It’s an ongoing process.
- Secure paper, physical media and devices. Data security extends beyond your IT network and the Internet. Many of the same lessons apply to paperwork, hard drives, laptops and other types of physical media.
Don’t become another data breach statistic! Our information security services group can help you customize a cost-effective data security plan that protects consumer data from cyberattacks on an ongoing basis.