Privacy & Cybersecurity Law Blog

On September 29, 2017, the Federal Trade Commission published the eleventh blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Secure paper, physical media, and devices, highlights the importance of adopting a 360 degree approach to protecting confidential data. This strategy includes securing not only networks and information systems, but also paper, physical media and devices.

The practical guidance outlines four steps that organizations can take to ensure the security of documents and devices:

• Securely Store Sensitive Files: Security conscious companies should collect sensitive information only if there is a legitimate business need to do so and they take measures to ensure its safety while it is in their possession. For example, sensitive files should be kept in a secure location on company premises where only the appropriate employees can access them. Further measures, such as locking files in cabinets and locking the room where the cabinets are located, are extra precautionary steps businesses can take to secure their sensitive files.
• Protect Devices that Process Personal Information: Devices put into the wrong hands, if not properly secured, can provide data thieves unauthorized access to everything on a company’s network. Similarly, lost or misplaced devices also pose high security risks. Steps a company can take to minimize the potential damage stemming from the loss of a device include requiring employees to lock company phones with passwords, ensuring devices are encrypted, installing or enabling device finding services, and having appropriate procedures in place to report missing devices.
• Keep Safety Standards in Place When Data Is En Route: Security conscious companies should exercise care when transferring sensitive data. This applies to electronic transfers as well as to the transfer of physical files and devices between locations. For example, if a company sends a hard disk to another one of its offices, ensuring that the drive is encrypted and sending the package through a delivery service that offers shipment tracking can reduce the risk of unauthorized access to data.
• Dispose of Sensitive Data Securely: Simply tossing paper in the trash or deleting files from a desktop is unlikely to deter data thieves. Responsible companies should shred, burn, or otherwise destroy documents using technology that renders the files unreadable and prevents their reconstruction. This is especially important for businesses covered by the Fair Credit Reporting Act and the FCRA’s Disposal Rule.

The guidance concludes by noting that prudent companies put precautions in place to safeguard paperwork, flash drives, phones, CDs and other media that contain sensitive information.

The FTC’s next blog post, to be published on Friday, October 13, will focus on FTC data security resources for businesses. To read our previous posts documenting the series, see “Stick with Security Series”.