Cybersecurity engineering under the Federal Trade Commission

When the Federal Trade Commission (FTC) releases new regulations or changes to existing ones, the implications may not be obvious to the average business or company employees.

The FTC and privacy

The FTC is a federal agency that protects consumers from fraudulent, deceptive, and unfair business practices. The Commission, often in collaboration with other regulatory agencies such as the United States Department of Justice and Attorney General, has enforcement authority and other responsibilities under more than 70 federal laws.

The FTC has used its authority to promulgate specific privacy-focused rules, including the Health Breach Notification Rule (HBN Rule), the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (Safeguards Rule), the Children’s Online Privacy Protection Act (COPPA) and the Fair Credit Reporting Act.

The FTC uses its primary authority under Section 5 of the FTC Act to bring enforcement actions against organizations following data security incidents that it believes involve deceptive practices, often due to misrepresentations in an organization’s privacy policy or unfair practices by failing to use reasonable measures to secure sensitive information.

The FTC’s recent actions demonstrate a trend toward increased cybersecurity and data privacy scrutiny. It intends to further expand its role in setting and enforcing cybersecurity and data privacy standards. As an example, the FTC announced a final rule amending the Safeguards Rule to strengthen the data security requirements that financial institutions must implement to protect customers’ financial information.

Organizations should review their operations to ensure compliance with the FTC’s existing and recently amended rules. Companies should also review and update their privacy policy, implement, or review their documented information security program and implement or review their incident response plan. Organizations must protect any sensitive data in their possession or the possession of their vendors and ensure they can effectively respond if a data security incident occurs.

Some best practices that can help an organization reduce the risk of non-compliance with the FTC act are as follows:

To accomplish the privacy rule:

1. Discover the purpose, use and location of data inside and outside your enterprise.
2. Implement accurate tagging for all personal data handling/storage across data repositories.
3. Ensure website compliance requirements for your websites.
4. Provide customers with clear and conspicuous privacy notices that include information collected, with whom it may be shared, how information is protected, and an explanation of the opt-out policy. Opt-outs must be processed within 30 days.
5. Prevent the disclosure of any nonaffiliated third-party marketer consumer’s personal information, access code to credit card, deposit, or transaction account.
6. Integrate consent management into your marketing and IT technologies to manage consent lifecycle, from collection through withdrawal.
7. Encrypt data in storage and in transit using FIP 140-2 L3 compliant encryption standard to protect the confidentiality of customer records and information.
8. Establish a company guideline for handling personal data and train staff on proper data-handling practices.

To accomplish the safeguard rule:

1. Design an information security program containing “administrative, technical, and physical safeguards” to protect the security, confidentiality, and integrity of customer personal information, including both electronic and paper records.
2. Designate an employee to coordinate safeguards of customer information.
3. Implement data mapping to discover and inventory applications/assets in use, the business processes associated with these assets, and configure and document the key attributes associated with them.
4. Implement assessment automation to:

• Identify and track the use of personal information across your organization
• Conduct periodic privacy impact assessments (PIA)
• Operationalize privacy by design (PbD)

5. Protect against security threats and unauthorized access to customer data.

• Maintain security patches and updates process that regularly update server, client and network device operating systems and programs.
• Implement an enterprise-level advanced malware detection solution that offers real-time malware detection.
• Implement a network monitoring, analytics and management tool for continuous monitoring of safeguards to ensure compliance and maintain a strong security posture.
• Implement network security devices such as next-generation routers, firewalls, and other security appliances.

6. Minimize data breach risk – Test data breach response plan. Minimize data collection to a need basis. Where possible, use anonymized and aggregated data. Follow all company guidelines when handling personal data.
7. Have a business continuity plan – Have a plan for saving data, running the business and notifying customers in case of a breach.

To accomplish the pretexting provision:

1. Prohibit the practice of pretexting, or accessing private information using false pretenses:

• Employ access controls – configure user roles and privilege levels, strong user authentication with a complex password and multi-factor authentication.
• Establish approval processes for access to customer information.

Waiting for a federal security and privacy law

The FTC is expanding its role in setting and enforcing cybersecurity and data privacy standards. However, there is not yet an overarching federal security and privacy law. If Congress enacts such law in the future, there is a chance that the law will provide further authority to the FTC to enforce the law’s requirements.

If no such decree is enacted, the FTC will nonetheless still use its primary authority to ensure that organizations are appropriately safeguarding consumers’ personal information and respecting consumers’ privacy.

Co-author: Abiola Salau, Manager of Business Consulting, EPAM Systems