by Caleb Skeath, Shayan Karbassi, and Ashden Fein

_{From left to right: Caleb Skeath, Shayan Karbassi, and Ashden Fein (Photos courtesy of Covington & Burling LLP)}

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.” These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Multi-factor Authentication

The FTC’s post highlighted that “[m]ulti-factor authentication is widely regarded as a critical security practice because it means a compromised password alone is not enough to take over someone’s account.”  FTC orders have included provisions related to the implementation of MFA for both consumer and employee accounts:

• Consumer Accounts: The blog post noted that FTC orders have allowed companies to permit consumers to select their own MFA preference. However, these orders have required companies to replace “security questions” with MFA, to offer MFA that does not require the provision of telephone numbers, and not to use information collected for MFA for any other purpose. 
• Employee Accounts: The blog post also noted that FTC orders have required companies to use phishing-resistant MFA, such as security keys, for their own employees. The FTC flagged that – of the available MFA technologies – “only security keys are resistant to phishing and other social engineering attacks.”

Encrypted and Authenticated Connections

The FTC’s blog post also referenced recent FTC orders that have required that “connections within a company’s systems must be both encrypted and authenticated.”  According to the blog post, an alternative approach that uses “a strong firewall outside the corporate network” could allow an attacker to “move freely” once inside the network.  Instead, the blog post described a “Zero Trust” approach as a “baseline” that requires users “to be authenticated and authorized to access a system,” and encrypted connections that protect against an attacker’s ability to “snoop” on legitimate connections.  The FTC’s blog post suggests that these measures will help limit the “blast radius” of a vulnerability and can build on other existing safeguards such as phishing-resistant MFA.

Data Retention Schedules

Finally, the FTC’s blog post noted that recent FTC orders have required companies to develop, publish, and adhere to a data retention schedule based on the “premise that the most secure data is the data that’s not stored at all.”  The blog post noted that such policies provide companies with ancillary benefits such as cataloguing the types of data maintained, the “information needed to prioritize protections based on the types of data,” and the ability to “comprehensively comply with” user requests to delete data. 

Caleb Skeath and Ashden Fein are Partners and Shayan Karbassi is an Associate at Covington & Burling LLP. This post first appeared on the firm’s data privacy and cybersecurity blog, Inside Privacy.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).