On February 1, 2023, the FTC released guidance highlighting three data security practices that the agency increasingly views as essential for protecting consumer data. Complex data systems, the FTC argues, require “safety engineering” to reduce risk. One of the core lessons of “safety engineering” is that systems must be operated by real humans and mitigate the risk that human errors will lead to data loss.
The FTC guidance makes clear that the FTC has grown “frustrat[ed],” suggesting that many are missing the “signal to market participants” that these three data security practices are essential for protecting user data. Particularly in light of recent enforcement actions, this guidance reads like a last warning: the FTC views a failure to implement these standards as a de facto unfair trade practice.
Multi-Factor Authentication (MFA)
First, the FTC emphasizes that companies should be enabling MFA as a minimum-security measure because it means “a compromised password alone is not enough to take over someone’s account.” The guidance suggests that MFA for employees is mandatory and urges companies to adopt the “strongest forms” of MFA available (such as physical security keys) for their own IT systems. For consumers, the guidance is less strict, stating that companies must offer MFA, but not forcing businesses to make MFA mandatory for consumers. Similarly, the guidance suggests that businesses may choose to offer less secure, but more user-friendly MFA options for consumers (such as text messages and software-based rotating codes), finding that even these options are far better than “legacy” tools like security questions, especially those that rely on questions and answers based on information that is likely publicly available on social media or can be cheaply acquired on the Dark Web.
Encryption and Authentication
Second, the FTC states that “Zero Trust” should be the baseline for determining corporate network security. Zero trust network architecture is based on the idea that just because a user has access to a network, does not mean the user should automatically have privileges to access any particular data or systems; all access privileges must be granted independently so that users cannot move freely throughout a network. The FTC says that companies must increase the security around access to corporate systems by (1) requiring user authentication prior to accessing each corporate system, and (2) encrypting connections between and among independent systems.
Data Retention Schedules
Lastly, the FTC emphasizes the importance of a data retention schedule. Data minimization has long been a core focus for the agency, and this guidance states clearly the FTC’s view that “the most secure data is the data that’s not stored at all.” Though first articulated nearly 50 years ago as part of the Fair Information Practice Principles, the FTC argues anew that setting up a data retention schedule necessarily means there will be a full catalog of the data being held, an easier time responding to users’ data requests, and a better sense of the protections needed based on the categories of data being stored.
Recent Case Example
This new guidance comes hot on the heels of the FTC’s most recent data security decision taken against Chegg, Inc (“Chegg”) on January 25, 2023. The Chegg case involved many of the requirements discussed above and serves as a good example of how the FTC applies them in an enforcement decision.
First, as to MFA. In line with their recommendations, the FTC required that MFA be implemented both for users and for internal employees but put stricter requirements on the type of MFA enabled for internal employees. With respect to users, the order simply states that Chegg “must provide multi-factor authentication methods as an option.” It does not mandate a specific type of MFA or MFA with a certain level of security. In contrast, when discussing MFA for employees, contractors, and affiliates, the FTC states the MFA method must not be “telephone or SMS-based” and must be “resistant to phishing attacks.”
The Chegg order also mandated new retention requirements, including that Chegg “document and adhere to a retention schedule” that provides the company with greater knowledge and organization of their retained data. The FTC requires the retention schedule to detail the purpose for each category of covered information collected, the business needs for retaining them, and the set timeframe for deletion. Further, this requirement is intertwined with the requirement that users have the ability to request deletion of their data; in the FTC’s view, a good retention schedule should allow for easier response to these deletion requests.
The Chegg order should signal to other market participants that they need to learn the lessons from history and take seriously the FTC’s frustration.