Earlier this year, the FTC’s staff released a series of blog posts entitled Stick with Security that updated and expanded upon the prior Start with Security best-practices guide for information security practices.  The Stick with Security series draws from FTC complaints, consent orders, closed investigations, and input from companies around the country to provide deeper insights into the ten principles articulated in the Start with Security guide.  These guidelines serve as a set of minimum recommended standards for “reasonable” data security practices by organizations with access to personal data (i.e. information related to consumers and employees), although they can be applied to other types of data as well.  The recommendations are not legal requirements, of course, but it can be useful for companies to consider the views of the FTC’s staff on the practices that are likely to be seen by the FTC as “reasonable.”  This post summarizes the recommendations made by the FTC’s staff in the Stick with Security series.

Access and Authentication

  • Require credentials to authenticate users and securely store credentials on systems. Webpages and other connected systems that store or process personal data should reside behind a network layer that requires authentication and not be directly accessible without credentials from the Internet or less sensitive parts of a network.  Credentials should not be stored in plain-text (e.g., storing passwords in documents or email folders), and companies should train employees to avoid disclosing credentials in response to phishing schemes and other requests (e.g., over-the-phone password changes).
  • Implement complex password requirements and prevent brute force attacks. Companies should require strong, unique passwords and establish a system to monitor for and prevent brute force attacks to minimize the risk of password cracking by attackers.  Companies should also immediately change default passwords after installing new software, applications, or hardware.
  • Limit privileged access throughout the enterprise. Privileged or administrative access should be granted only to a small number of users.  Such users should each have individualized login credentials that provide limited privileged access to the systems, processes, or data which is necessary to perform a legitimate business purpose.
  • Require multi-factor authentication for accounts with access to personal data. Companies should not solely rely on username and password credentials for permitting access to personal data; rather they should require a second form of authentication (e.g., an authentication application, a key fob, a USB security key, or a code received via a voice call or text message) for users accessing personal data or systems that can access personal data.
  • Only grant access as needed for the performance of job duties. Companies should grant specific user accounts access to personal data (or systems that process personal data) and only based on the minimum access levels necessary to satisfy business needs.
  • Immediately revoke access upon change of circumstance. When an employee leaves or moves positions, a vendor’s contract expires, or specific types of access are otherwise no longer needed, that access should be immediately revoked to prevent unauthorized access.

General Data Security

  • Understand the lifecycle of personal data throughout your network and apply appropriate security measures at each stage. Each company should be aware of how data enters and exits, moves within, and is stored throughout the company in order to implement appropriate security protections at each stage.  Companies should also consider the level of care appropriate when transferring personal data and whether specifically to encrypt personal data in transit and/or at rest within a corporate network along with inbound and outbound transmissions.
  • Properly configure industry-tested and accepted security methods. With many security options available in the market, companies should consider choosing options that are consistent with industry standards and not necessarily unique.  Additionally, companies should configure security controls in a manner that is consistent with manufacturer specifications and that has been properly configured and tested, including following major platform security guidelines for developers.
  • Only collect and use data as needed. Limiting data collection and use to what is necessary to meet business needs not only minimizes cybersecurity risks, but may also reduce the cost and logistical complexities of storing and maintaining large quantities of data.
  • Periodically review, assess, and (if needed) securely delete data. To ensure personal data is not unnecessarily retained, a company should periodically review the data it holds to assess whether the data is still necessary for a legitimate business need, and if the data is no longer needed, securely delete the data from all applicable systems.  Secure deletion methods should prevent the information from being reconstructed, including shredding or burning documents or wiping electronic data and devices (e.g., hard drives, discs, and external flash drives) with a tool designed to render the data unreadable.
  • Protect devices from unauthorized physical access. To reduce the risk of unauthorized access to personal data and company networks posed by lost or stolen laptops, phones, or other devices, companies should enable remote tracking and secure wiping of devices (or specific information on the devices).

Network Security

  • Implement network segmentation. Consider segmenting networks using properly configured firewalls to reject unnecessary traffic between segments.  Also, consider segmentation based on physical location as well as sensitivity of information, and implement security measures to protect against unauthorized movement between segments (e.g., requiring and securely storing unique credentials for each segment).
  • Monitor network activity and respond to alerts. Properly implement, test, and calibrate tools to detect malicious network activity¾including unauthorized uploads and downloads from internal or external threats¾and adequately respond to alerts generated by these tools.
  • Mandate minimum security requirements for remote network access. In addition to mandating minimum standards for corporate and third-party systems to connect remotely to a company’s network (e.g., specific endpoint protections and security patches) and rejecting network connection attempts from systems not in compliance, companies should periodically verify compliance.  Also, companies should consider establishing certain limitations for remote access that potentially restrict the duration and/or scope of the access.

Vulnerability Management and Patch Management

  • Test for common vulnerabilities. These tests should ideally occur both before deployment of systems or release of products, and periodically thereafter.  They should test for commonly known vulnerabilities, such as those highlighted by the Open Web Application Security Project’s (“OWASP”) Ten Most Critical Web Application Security Risks or other public resources (e.g., vulnerability reports published by US-CERT).
  • Establish procedures to receive threat intelligence and swiftly remediate any vulnerabilities. Establishing designated channels to receive and process threat intelligence is vital to securing an environment.  These channels should be open and available to security researchers, vendors, and other third parties to report potential threats, including vulnerabilities, to companies.  Companies should, in turn, quickly remediate validated weaknesses to prevent exploitation.
  • Develop methods to install updates and patches and provide the same to consumers. If systems or software on a company’s network are vulnerable to new threats, companies should follow industry practices in updating and patching the information technology.  Similarly, if a company identifies vulnerabilities in its own products, it should have a deliberate plan to distribute updates with prompts for consumers to apply updates.

Employee Security Training and Enforcement

  • Develop a culture that prioritizes security. Companies should promote a culture that prioritizes security through training and management actions that emphasize the importance of good security practices and empower employees at all levels to suggest improvements to security processes.
  • Provide initial training to all new users and periodically refresh all users’ training. This training should occur at the time of hiring and periodically thereafter for all users, and cover topics such as password standards, secure data disposal, and how to protect against phishing attempts.  Users with roles that directly involve security or access to personal data (e.g., network defenders, application developers, and human resources) should receive training on specific topics related to their roles in the personal data lifecycle.
  • Emphasize and integrate security during development. Engineers should consider security throughout the product development lifecycle and testing to ensure that security measures are implemented properly.
  • Monitor employee compliance and effectiveness. Companies should implement measures designed to monitor employee compliance with security requirements and assess the effectiveness of the policies and procedures.

Vendor and Supply Chain Management

  • Conduct due diligence. Prior to entering into an agreement with a service provider or vendor who will access a company’s personal data and/or network, verify security-related representations made by the vendor and do not simply rely on attestations related to how the personal data will be used and secured.
  • Include contractual requirements. Agreements with such service providers or vendors should include explicit security requirements (including specific provisions requiring reasonable security practices) and, if appropriate, performance standards and methods to audit compliance.
  • Exercise audit rights to verify compliance. Establishing agreements with explicit security requirements to protect personal data is typically not enough for a company to act reasonably.  A company should also monitor for compliance and ensure the terms are being appropriately followed.

Consumer Education and Advertising

  • Enable consumers to make security-conscious choices. By explaining security practices to consumers and calibrating default settings, set-up wizards, and toolbars to the most protective settings, companies can help protect consumers by requiring affirmative personal choices to reduce the level of security.
  • Avoid false statements in advertising. Ensure that advertising materials do not contain any express or implied misstatements related to security practices.

FTC Stick with Security Blog Posts

Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden Fein
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb Skeath
Show more Show less
Photo of Lindsay Brewer Lindsay Brewer

Lindsay advises clients on environmental, human rights, product safety, and public policy matters.

She counsels clients seeking to set sustainability goals; track their progress on environmental, social, and governance topics; and communicate their achievements to external stakeholders in a manner that mitigates legal…

Lindsay advises clients on environmental, human rights, product safety, and public policy matters.

She counsels clients seeking to set sustainability goals; track their progress on environmental, social, and governance topics; and communicate their achievements to external stakeholders in a manner that mitigates legal risk. She also advises clients seeking to engage with regulators and policymakers on environmental policy. Lindsay has extensive experience advising clients on making environmental disclosures and public marketing claims related to their products and services, including under the FTC’s Green Guides and state consumer protection laws.

Lindsay’s legal and regulatory advice spans a range of topics, including climate, air, water, human rights, environmental justice, and product safety and stewardship. She has experience with a wide range of environmental and safety regimes, including the Federal Trade Commission Act, the Clean Air Act, the Consumer Product Safety Act, the Federal Motor Vehicle Safety Standards, and the Occupational Safety and Health Act. Lindsay works with companies of various sizes and across multiple sectors, including technology, energy, financial services, and consumer products.

Read more about Lindsay Brewer
Show more Show less