On September 8, 2017, the FTC released its seventh “Stick with Security” principle, which offered guidance regarding how companies incorporate security by design to prevent or minimize threats in the following ways:
Train Your Engineers in Secure Coding
Companies would be wise to explicitly state from the outset the importance of security and incorporate security into the forefront of their employees’ decision-making processes. For example, the FTC recommends emphasizing to software engineers the significance of secure coding throughout the development process; this entails also providing the necessary training in order to meet this expectation.
Follow Platform Guidelines for Security
Starting with security does not mean companies need to reinvent the wheel. According to the FTC, every major platform has guidelines for developers to consult regarding how to keep sensitive data secure.
Verify that Security Features Work
Before rolling out a new product to the public, the FTC recommends that companies verify that security features function correctly. This is especially important if companies make claims to their customers about the nature of the security provided. Importantly, under the FTC Act, companies are responsible for all representations – express or implied – “that consumers acting reasonably under the circumstances take from a company’s marketing materials.” For example, if a company promoting a household budgeting app claims that the app has “bank grade security” but does not have a written security program, does not conduct risk assessments, does not train its employees in secure information practices, and fails to implement other practices associated with such type of security, the FTC will likely claim that the company has most likely violated the established truth-in-advertising standards. When it comes to statements about data security and privacy, organizations should follow the mantra of “say what you do, and do what you say.”
Test for Common Vulnerabilities
No one expects that a software product will be “100% hack-proof,” but companies can and should regularly check to assure that they have built in defenses against known risks by testing those products. Because new threats emerge periodically, security should be viewed as a dynamic process, rather than a one-time event. The FTC recommends keeping up to date with “robust public cross-talk” among researches, tech experts, and government agencies. For example, it advises that regularly consulting a public resource like US-CERT for updated information concerning cyber threats can help inform sound product development.