Washington, DC - Savvy business people are on the lookout for ways to minimize their companies’ risk of a data breach. Many businesses consult the FTC’s complaints and orders, each of which includes a detailed description of the conduct alleged to have violated the FTC Act. Perhaps it was a broken promise about the care the company said it would take when handling consumers’ sensitive data. In other cases, it might be a pattern of failures which, when taken together, led to the theft and misuse of customers’ confidential information.
But that isn’t the only way to learn about our approach to data security. FTC press releases, business guidance publications, videos, speeches, workshops, reports, more than 150 security-centric Business Blog posts, and other communications offer practical advice on how the FTC Act applies to data security. One particularly practical source of information is Start with Security, our nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.
Businesses have asked us to keep the guidance coming, which is why we’re announcing a new initiative, Stick with Security. For the next few months, we’ll publish a Business Blog post every Friday focusing on each of the 10 Start with Security principles. This time, we’ll use a series of hypotheticals to take a deeper dive into steps companies can take to safeguard sensitive data in their possession. We’ll offer easy-to-apply tips to help your company not just start with security, but stick with security to bolster your defenses.
Where are we getting our Stick with Security examples? First, from the FTC’s 60+ complaints and orders, including new settlements and litigated cases announced since Start with Security was published.
Another important source of our Stick with Security examples are the experiences of businesses from across the country. We’ve listened to the day-to-day challenges you face in protecting sensitive information and have learned from the practical approaches you’re taking to address data security challenges.
In addition, there are lessons to learn from investigations that staff closed with no further action. While we don’t disclose the identities of the targets of those matters unless there has been a public closing letter, we think there is more we can do to explain for other companies the general principles that informed our thinking when we decided to close those investigations.
A preliminary question we often get from businesses is if there are recurring themes that run through the investigations that are ultimately closed without law enforcement. One thing we’ve noticed is that those companies’ practices often lined up with the common-sense security fundamentals in Start with Security. For example, the companies typically had effective procedures in place to train their staff, keep sensitive information secure, address vulnerabilities, and respond quickly to new threats.
Here are some other themes that emerge that offer insights into why investigations into breaches you may have heard about didn’t necessarily result in FTC law enforcement:
- There’s more (or less) to the story than meets the eye.
Just like you, FTC staff reads the news. We see stories about data breaches and potential vulnerabilities all the time. But press reports are just the beginning of a potential inquiry and sometimes we learn there’s more to the story than what was initially reported. For example, a news report might call attention to a breach, but not focus on the fact that the data was encrypted – a factor that substantially reduces the risk of consumer injury. Or perhaps a purported insider asserts that a company doesn’t securely dispose of old consumer data, but the company provided us with credible evidence that it does. So in some instances, there may have been smoke, but further investigation revealed no fire.
- Proceeding further wouldn’t be a good use of resources.
We like to think of the FTC as a small federal agency that – in appropriate circumstances – can pack a powerful law enforcement punch. But we’re always conscious of the need to be good stewards of taxpayer dollars. Sometimes a company’s practices may raise initial concerns, but there are other factors that suggest law enforcement wouldn’t be in the public interest. For example, in some cases, a small business may have collected small amounts of non-sensitive information. In instances like that, if a breach occurs, we’re less likely to spend limited resources to investigate.
- We’re not the right agency.
Given the FTC’s broad jurisdiction over most commercial practices, we’re the primary cop on the beat when it comes to data security. But we’re not the only cop on the beat. As a result, we work closely with other agencies with related missions – the Department of Justice, Department of Health and Human Services, Consumer Financial Protection Bureau, Federal Communications Commission, and National Highway Traffic Safety Administration, to name just a few. Sometimes an alleged incident or practice is a more natural fit for another law enforcer. If that’s the case, we may refer matters to other agencies and offer any assistance the law allows us to give. That’s just one of the ways we work to avoid duplication, streamline investigations, and ensure a consistent approach to data security.
- The risk to data is theoretical.
Over the past several years, we’ve seen an uptick in researchers focused on privacy and security issues. That’s a development we welcome. We look to the latest studies – both research presented at PrivacyCon and elsewhere – to educate ourselves about emerging technologies and identify practices for investigation. But not all research leads to law enforcement. Sometimes when researchers bring practices creating vulnerabilities to our attention, the risk of the vulnerability being exploited to cause consumer injury is more theoretical than likely. For example, there may be a vulnerability in a mobile device that would take highly sophisticated tools to exploit, and even then, data could be compromised only if the hacker had the consumer’s phone in hand. If that’s the case, we’re more likely to pass on an investigation than proceed.