On August 4, 2017, the FTC released its second “Stick with Security” principle, which addressed the next step a company should take after it has identified confidential data in its possession and determined what information it needs to maintain for business purposes. The FTC’s advice is to “put limits in place to control access to data sensibly,” which can be done in two ways:
Restrict Access to Sensitive Data
If employees do not need to use personal information as part of their job, they should not have access to it, physically or electronically. Giving access to sensitive data when it is not necessary can create situations that put highly confidential information at risk. The FTC recommends a few best practices, such as utilizing a locking desk drawer, a “clean desk” policy, and limiting employee access to various databases based on a business need.
Limit Administrative Access
While it is essential for companies to put individual(s) in charge of modifying or changing network settings, a risk materializes if a systems administrator is untrustworthy, or if too many employees have administrative rights (for example, IT staffers have the same login as the receptionist or sales assistant). The FTC advices companies to restrict “backstage passes” to confidential information, i.e., limit access to data to only those who need it.