Data breach has been big news lately. And with big data dictating that more information be collected and stored, it seems inevitable the trend will continue. While some states are looking at new data breach laws, the FTC has been enforcing them for some time already.
The FTC pursues some cases under specific regulations such as GLB (Gramm-Leach-Bliley) for financial services or COPPA (Children’s Online Privacy Protection Act) for those involving minors, but recent cases for the most part rely on the FTC’s bread and butter action – unfair or deceptive practices.
The civil complaints can be as short as 2 pages and cite violations something along the lines of the following:
- Company didn’t protect information and it got breached.
- The breach therefore constitutes an unfair or deceptive practice.
Some of the FTC’s higher profile cases include media companies such as Twitter and Snapchat. But there have been cases against smaller companies with revenues between $20-$50 million and even local businesses with just a few employees (although these seem to have been mostly in the mortgage or financial services areas).
However, the FTC would rather businesses avoid problems with data breach than file lawsuits. It recently released 10 tips for businesses to implement good data security practices based on problems the FTC identified in 50+ claims it filed over the last decade or so.
“Promoting good data security practices has long been a priority for the FTC,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “The new Start with Security initiative shares lessons from the FTC’s 53 data security cases. Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place.”
The FTC’s guidance document, titled “Start with Security: A Guide for Business” lists a number of more obvious mistakes that companies made such as collecting unnecessary information and storing it too long and failing to encrypt data across all use or distribution channels. But it also includes some less intuitive lessons such as being liable for the security practices of service providers you hire and testing your own systems in ways that hackers might use as an attack.
Regardless of the size of your company it is important to implement security practices. The earlier those practices are adopted, the easier it will be to maintain them.