You’ve heard about Newton’s laws regarding bodies at rest and bodies in motion. A 21st century corollary is to protect sensitive information when it’s at rest on your network and implement effective safeguards when it’s in motion – for example, when a customer transfers confidential data from their computer to your system. Careful companies take the advice of Start with Security by storing sensitive personal information securely and protecting it during transmission.
One strategy is surprisingly simple. Hackers can’t steal what you don’t have, so collect and maintain confidential data only if you need it. Asking customers for sensitive information on the off chance you might use it someday for something isn’t a sound policy. The wiser practice is to sensibly limit what you collect and then store it securely. It’s a cost-conscious approach, too, because it’s less expensive to secure a smaller amount of data stored in designated locations, rather than scads of sensitive stuff scattered throughout your company.
One important security tool is encryption. Encryption is the process of transforming information so that only the person (or computer) with the key can read it. Companies can use encryption technology for sensitive data at rest and in transit to help protect it across websites, on devices, or in the cloud.
How can your business secure data safely, including when it’s en route? Here are some suggestions gleaned from FTC settlements, closed investigations, and questions that businesses have asked.
KEEP SENSITIVE INFORMATION SECURE THROUGHOUT ITS LIFECYCLE.
You can’t keep information secure unless you have a clear picture of what you have and where you have it. One preliminary step is knowing how sensitive data enters your company, moves through it, and exits. Once you have a handle on its journey through your system, it’s easier to keep your guard up at every stop along the way.
Example: An online sporting goods retailer has consumers select a username and password. The company stores all usernames and passwords in clear, readable text. By not storing that information securely, the retailer has increased the risk of unauthorized access.
Example: A recipe website allows customers to create individual profiles. In designing the registration page, the company considers the many categories of information it could ask for and narrows them down to the ones justified by a business reason. For example, the company considers asking for the user’s date of birth to tailor the site to recipes that might appeal to people of that demographic, but then decides to let consumers pick age ranges instead. By thinking through its need for the information and collecting a less sensitive kind of data, the company has made a more secure choice that will still allow it to tailor the user experience.
Example: A real estate company needs to collect sensitive financial data from prospective home buyers. The business uses appropriate encryption to secure the information when it’s sent from the customer’s browser to the company’s server. But when the information arrives, a service provider decrypts it and sends it in clear, readable text to the company’s branch offices. By encrypting the initial transmission of information, the real estate company has taken a prudent step to keep it safe. But by allowing the service provider to send unencrypted data to the branches, the company hasn’t given sufficient consideration to the importance of maintaining appropriate security throughout the lifecycle of sensitive information.
Example: A company uses state-of-the-art encryption technology, but stores the decryption keys with the data they encrypt. The company should have stored the decryption keys separate from the data the keys are used to unlock.
USE INDUSTRY-TESTED AND ACCEPTED METHODS.
Some marketers design their products to have a unique, quirky look. But “unique” and “quirky” aren’t words you want applied to your company’s security. Rather than reinventing the encryption wheel, the wiser approach is to employ industry-tested methods that reflect the collective wisdom of experts in the field.
Example: Two app developers are preparing similar products for the market. ABC Company uses its own proprietary method to obfuscate data. In contrast, XYZ Company uses a tried-and-true encryption method accepted by industry experts. By using a proven form of encryption, XYZ Corporation has made a prudent choice in developing its product. What’s more, XYZ’s advertising campaign can truthfully tout its use of industry-standard encryption.
ENSURE PROPER CONFIGURATION.
A rock climber may have top-of-the-line gear, but if he hasn’t properly attached the carabiners and pulleys or if he’s using them in a way the manufacturer warns against, he could be in for a disastrous descent. In a similar vein, even when companies opt for strong encryption, they need to make sure they’ve configured it correctly.
Example: A travel company develops an app that allows consumers to buy tickets to popular tourist attractions. The travel company’s app uses Transport Layer Security (TLS) protocol to establish encrypted connections with consumers. When data is moving between the app and the companies selling the tickets, the TLS certificate is used to ensure that the app is connecting to the genuine online service. However, when configuring its app, the travel company disables the process to validate the TLS certificate. The travel company does this despite warnings from app developer platform providers against disabling the default validation settings or otherwise failing to validate TLS certificates. The travel company should have followed the default recommendations of the app development platforms.
The reminder for businesses is that confidential data can enter your system, move through it, and exit it in ways you might not have considered. Are you putting reasonable protections in place along the way?
By: Thomas B. Pahl, Acting Director, FTC Bureau of Consumer Protection