Privacy & Information Security Law Blog

On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Stick with security: Control access to data sensibly,” details key security measures businesses can take to limit unauthorized access to data in their possession.

The blog post notes that just as business owners lock doors to prevent physical access to business premises and shield company proprietary secrets from unauthorized eyes, they should exercise equal care with respect to access to sensitive customer and employee data.

The post outlines two key security steps companies should take:

• Restrict Access to Sensitive Data: Employees who don’t use personal information in the course of their employment duties do not need to have access to it. Physical confidential data should be secured in a filing cabinet, locked desk drawer or other secure location. Additionally, a clean desk policy minimizes the risk that data may be accessed by an unauthorized person after hours. Digital confidential information can be secured by providing employees with separate user accounts that limit who can view certain files or databases. For example, a staff member in charge of payroll should have password protected access to a database of employee information.
• Limit Administrative Access: While it is essential that a system administrator has the ability to change network settings in a business, this privilege should be limited to a select few people. The FTC compares such access to a bank giving the combination to the central vault to only a few people. By requiring different logins for employees and providing each user with the appropriate system privileges, companies can reduce the risk of having too many employees with administrative rights and avoid untrustworthy administrators.

The FTC’s next blog post, to be published Friday, August 11, will focus on secure passwords and authentication.