The
In August, the agency announced that it is exploring ways to crack down on lax data security practices. In the announcement, the
These concerns are reflected in some of the
Recent FTC Enforcement Actions
Earlier in 2022,
According to the
In its complaint, the
The
Chegg uses a third-party cloud service provided by
According to the complaint, Chegg allowed employees and third-party contractors to access these databases using credentials that provided full access to the information and administrative privileges.
Moreover, the personal data stored by Chegg was stored in plain text and not encrypted. The
With
-
Chegg failed to consistently implement basic security measures such as encryption and multifactor authentication;
- Chegg failed to monitor company systems for security threats;
- Chegg stored information insecurely; and
- Chegg did not develop adequate security policies and training.
Drizly failed to store AWS and database login credentials securely and further failed to require employees to use complex passwords;Drizly did not periodically test its existing security features; andDrizly failed to monitor its network for attempts to transfer consumer data outside the network.
The
The order further requires Chegg to implement multifactor authentication, or another suitable authentication method, to protect customer and employee accounts.
In another
Notably, the
As a result,
The 2022 complaint alleges that in 2018
In its complaint, the
But
The
The
The
Additionally,
Enforcement actions brought by the
In fact, FTC Chair
Thus, the following steps are suggested to safeguard a company from
Educate Employees on Cybersecurity Measures
Companies should emphasize data security education for their employees and contractors. It is suggested that companies introduce new employees to their data security practices during the onboarding process and follow up with regularly scheduled training for existing employees.
One crucial area to educate employees on is how to safeguard company credentials.
Companies should implement policies and procedures to prevent the storage of unsecured access keys on any cloud-based services. Companies should also have a policy and guidelines requiring the use of strong passwords and multifactor authentication to secure corporate accounts and information.
Companies should implement basic security measures for employees' and contractors' access to sensitive user information. For example, companies should regularly monitor who accesses company repositories containing sensitive consumer information.
Companies might also consider only allowing authenticated and encrypted inbound connections from approved Internet Protocol addresses to access sensitive consumer data.
Performing regular audits can help companies ensure each employee only have access to what is needed to perform that employee's job functions.
In addition, companies should use audits to identify and terminate unneeded or abandoned employee accounts, such as accounts that are left open after an employee leaves a company or when an employee transfers to a different division/role.
Follow Through on Privacy and Data Security Promises
The
When a company promises consumers that it will adhere to reasonable data security practices, it is their responsibility to implement basic security measures and checks to fulfill this promise. Those security measures might include encryption, multifactor authentication and complex passwords.
It is also imperative that companies regularly review and update their data security practices. The
Individuals in charge of the company's data security practices should stay abreast of developments in the field.
Respond to Data Security Incidents Quickly and Transparently
The
It is imperative that companies act promptly when data security events are discovered, and that companies be transparent with customers when a data security event occurs — regarding the occurrence of the event, measures the company took to prevent the event and measures the company is taking to rectify the event.
Companies should be vigilant in their efforts to discover data security events. Procedures and policies should be implemented to stay on top of data security events within the company's networks and systems.
For example, adopting file integrity monitoring tools and tools for monitoring anomalous activity can assist with detecting these events.
After implementing these safeguards, they must be tested at least once a year for vulnerabilities, as suggested in the
Conclusion
The
Engaging in efforts to educate employees on data security practices, following through on data security promises, and responding to data security incidents properly can help companies reduce the likelihood of being subject to these proceedings.
This article originally appeared on Law360. Read more at: https://www.law360.com/articles/1561075/ftc-actions-hold-data-privacy-lessons-for-2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Suite 900 East
DC 20001
Tel: 202783 6040
Fax: 202783 6031
E-mail: cobanion@rothwellfigg.com
URL: www.rothwellfigg.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source