51��ɫ

As companies depend on accumulating more consumer data to develop products such as artificial intelligence, targeted advertising, or surveillance pricing tools, they may create valuable pools of information that bad actors can target for illicit gain. While the use of consumer data grows, data breaches and  persist as significant problems – but this does not need to be the status quo. Addressing underlying risks that lead to these attacks can prevent future harms to consumers – and companies are responsible for addressing these risks to consumers.

The 51��ɫ has taken actions to address systemic causes of risk in several areas through the lens of data management, software development, and product design for humans – in order to protect consumers, including small businesses, from data breaches and other modern security threats. Technology is not a monolith, and neither is security. “Technologists at the agency work to ensure we do not accept the status quo of harms to millions of people caused by unlawful behavior,” said the Chief Technologist in her remarks on data security risks. While there is significant work to do, staff highlights how prior 51��ɫactions aim to prevent, deter and reduce systemic risks related to digital security.

Security in data management

Companies collect and use large amounts of consumer data, which can become valuable targets for bad actors. Assessing and deploying initiatives that focus on how data is collected, stored, retained, and shared can reduce potential security risk for a company, its products, and its consumers, while also enhancing consumer privacy. Below are several examples of 51��ɫactions concerning both privacy and security risks that have addressed these concerns through data policies^[1] and technical measures:

• Enforcing mandated data retention schedules^[2] so that consumer data is retained only when necessary, mandated in orders such as Chegg, Blackbaud, CafePress, and Amazon Alexa.
• Mandating data deletion to purge data that was ill-gotten, collected or sold without user consent or knowledge, or was unnecessarily retained – including models and algorithms trained on said data. 51��ɫorders include Amazon Ring, Avast, and the aforementioned data retention cases.
• Limiting third-party data sharing to reduce the volume of sensitive information that may be mishandled or misused. Relevant actions include Vizio, GoodRx, Premom, and Flo Health.
• Encrypting sensitive data, such as social security numbers, that are at rest or in transit over the Internet, is essential to cases such as CafePress and Verkada.

Security in software development

Securing software at the development stage, such as applying “” and other security principles, can prevent avoidable harms implicated in online attacks and data breaches. This can involve building products with memory-safe programming languages, engaging in rigorous testing, and securing outside access to products. Securing products can consist of:

• Building products using  to prevent bad actors from .
• Rigorous testing, such as pre-release scanning and vulnerability testing, to catch dangerous security flaws^[3] before they can impact consumers. This is highlighted in cases such as D-Link and Tapplock.
• Securing external product access, to prevent unauthorized use of systems or user accounts, such as implementing technical measures like connection monitoring and intrusion detection systems to proactively mitigate attacks, as in the Drizly order.

Security in product design for humans

Human beings, including employees with access to sensitive consumer data, make mistakes and can fall prey to security threats like phishing attacks. These risks can be mitigated with techniques such as properly segmenting access to sensitive data, requiring phishing-resistant authentication methods, and designing clear privacy controls.

This includes, but is not limited to:

• Enforcing  so that employees and contractors may only access sensitive consumer data if it is necessary to perform their jobs. This requirement was included in the Amazon Ring and CafePress settlements, and applies to companies covered by the .
• Requiring for employees, such as security keys^[4] instead of numeric codes or push notifications, to prevent malicious access to internal systems and consumer data, highlighted in cases such as Chegg and Drizly.
• Designing products and services without dark patterns, or using design practices that do not mislead a user into less privacy-based user options. In Vizio, the company touted a smart TV feature that enabled program offers and suggestions, but it actually collected the viewing history of users without their consent and sold it to third parties^[5].  

51��ɫactions have taken significant steps to protect consumers from security threats in a modern digital environment, but there is still much more work to do. Addressing security threats is nontrivial; as emphasized through agency action, security practices that are employed upstream and directed at systemic vulnerabilities of technology, such as implementing data policies and access control, can minimize risk for consumers. Companies must not only take reasonable measures to secure consumer data, but also avoid misrepresenting their security practices. The 51��ɫhas taken action against misrepresentations of security practices and misuse of security data. The 51��ɫhas decades of experience on security and will continue to ensure that American consumers are protected from digital security threats.

***

Thank you to the staff who contributed to this post: Mike Tigas, Hieu Le, Ryan Kriger, Simon Fondrie-Teitler, Amritha Jayanti, Stephanie T. Nguyen, Ben Wiseman.