Recently, data security experts and regulators have said that “businesses should use a common sense approach” when addressing data security. However, rarely do I hear clients or other business professionals speak in those terms. Many organizations find data security to be daunting. It does not have to be. In fact, it can be a matter of common sense.
In 2015, the Federal Trade Commission (FTC) published a business guide called “Start with Security.” The guide is a compilation of lessons learned from cases brought by the FTC incorporated into 10 fundamentals that are applicable to any organization.
On July 21, 2017, the FTC announced that it would start a new initiative, Stick with Security, which is a weekly Business Blog post that tackles one of the 10 Start with Security principles.
The first post from July 28 discusses the commonsense principle that if you don’t have a reason to collect the information, then don’t. Organizations should ask: 1) Why are we collecting this information? 2) Can we achieve our goal without requesting and maintaining personal data? and 3) How quickly can we properly discard the data? Included in the Stick with Security blog posts are simplified examples with easy-to-apply tips. For example, a bakery sends its customers a birthday coupon, but instead of maintaining the person’s first and last name, address, and date of birth, it only records the customer’s birth month. The business goal is achieved and the company is not storing information that could be combined with other data and used for an unauthorized purpose.
On Aug. 4, the FTC published its second post on controlling access to data. An organization can start by creating a process to limit access or review its policy and controls for one group of data, such as employment records. Once a process is in place, the process can be applied to other sets of sensitive data. The FTC suggests incorporating a clean desk policy or password protecting certain files and databases. Every organization should consistently evaluate who has access to sensitive data and for what business purpose.
Last Friday’s post addressed passwords and authentication. This topic is timely because in June the National Institute of Standards and Technology (NIST) published new password guidelines that suggest that passwords should no longer be changed unless there is some indication that the password was compromised. NIST also suggests that passwords should be long, easy-to-remember phrases instead of words filled with characters, capital letters and numbers. The FTC post is consistent with the new NIST guidelines. The FTC password post also touches on password storage, guarding against brute force attacks and instituting multiple authentication techniques.
Data security can be presented as common sense, and the FTC blog posts are an example of that approach. It is for that reason that we encourage you to take a look.
 Natl. Inst. Stand. Technol. Spec. Publ. 800-63B, 78 pages (June 2017). https://pages.nist.gov/800-63-3/sp800-63b.html