Federal Trade Commission Signals Intensified Focus on Security-By-Design and the Internet of Things With New Start with Security Initiative for Small and Medium-Sized Businesses

Download IconDownload Print IconPrint

Federal Trade Commission Signals Intensified Focus on Security-By-Design and the Internet of Things With New Start with Security Initiative for Small and Medium-Sized Businesses

Client Alert

Related Solutions

A global team handling highly complex and sensitive matters in all aspects of litigation.
Drawing on years of experience in the public and private sectors, our lawyers handle a range of litigation involving the federal government, state and foreign governments, and complex regulatory regimes.
We leverage technical knowledge, business acumen and legal experience to structure, prepare and negotiate innovative and effective technology-related agreements.
Our clients in the ever-changing and fiercely competitive hardware, software, IT and services industries depend on us to strategize and negotiate transactions that take advantage of opportunities now while protecting their innovations and preserving flexibility for the future. We structure, negotiate and draft all types of licensing, distribution, product development, joint venture and strategic alliance agreements for these clients, often drawing on the deep experience of WilmerHale’s unique capabilities in regulatory, intellectual property, corporate and tax law. We represent both mature and emerging companies with business models centered around offering software and/or professional services relating to analyzing and extracting insights from large data sets. We frequently draft and negotiate data license agreements, software-as-a-service (SaaS) agreements, website terms and other services agreements in which data is the core subject of the license. We also advise technology clients on big data issues that arise in outsourcing, joint venture and other transactional matters. Our attorneys keep a close watch on internet-related legislative and regulatory developments in the United States, the European Union and elsewhere, and leverage our up-to-the-minute knowledge to advise clients in areas such as data privacy and security, copyright infringement, and export restrictions.
We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.
Cybersecurity and Privacy
Helping clients launch their businesses and transform their innovative ideas into successful companies.
Providing a strategic, multidisciplinary approach to help clients develop and use AI and to navigate the landscape of Big Data.

The Federal Trade Commission (FTC) recently launched a new Start with Security initiative that aims to provide businesses with resources, education and guidance on best practices for data security. Announced by FTC Consumer Protection Director Jessica Rich at the International Association of Privacy Professionals' annual Global Privacy Summit in March, the Start with Security initiative will initially focus on encouraging small and medium-sized businesses to embrace security-by-design principles. The FTC will hold a series of presentations, seminars and meetings across the country to educate companies and groups about best practices for evolving security needs.  

Last week, FTC Chairwoman Edith Ramirez announced that the initiative's first seminar will take place on September 9, 2015, at the University of California Hastings College of Law in San Francisco. The event will bring together experts from across the country to discuss guidelines for data security, particularly for smaller businesses.

The Start with Security initiative seeks to encourage companies to build security into devices from the start, rather than as an afterthought in the design process. With small and medium-sized businesses collecting increasingly large amounts of sensitive customer data, Commissioner Ramirez has expressed concern about the proliferation of new organizations entering the market without the security experience of more mature businesses, noting that smaller businesses often lack the same data security experience as more mature technology companies.  

The FTC seems particularly concerned with security issues relating to the Internet of Things-the emerging market of everyday devices that are now Internet-connected and continuously tracking personal data. As the Internet of Things grows to include more and more components of households and vehicles, the FTC is emphasizing the importance of prioritizing security in the initial design process, rather than launching potentially insecure beta versions and increasing security over time.

"The number of Internet-connected devices that may be vulnerable to attackers is increasing exponentially," FTC Commissioner Terrell McSweeny observed in a January 2015 article. "To mitigate security risks, the FTC recommends that [Internet of Things] device manufacturers incorporate security into the design of connected products. Properly implemented, security-by-design requires manufacturers to consider security throughout the entirety of a product's lifecycle. This means, for example, incorporating security practices into the culture of a corporation, bringing security expertise into the design phase of a product, working with vendors who prioritize it, and establishing breach protocols that can be implemented when flaws are discovered or attacks occur."

Previous FTC guidance on security-by-design focused on best practices for security in mobile app development. The FTC's app guidance, issued in 2013, did not dictate specific technical requirements, but instead embraced a flexible standard for app developers depending on the amount and sensitivity of the information collected. The FTC provided a dozen tips for mobile app developers, such as practicing data minimization and carefully selecting software libraries or third-party services. These tips focused on thinking critically about security needs and making informed decisions on best practices for the individual company.

The launch of the Start with Security initiative comes at a time when the FTC is facing criticism from companies that claim they lack sufficient guidance on acceptable security practices. Recently, the FTC was sued for "the failure . . . to disclose documents . . . describing standards, guidelines, or criteria for what conduct or omission constitutes an unfair act or practice in or affecting commerce authorizing FTC action, and criteria for bringing such an action, under 15 U.S.C. § 45, related to data or cyber security."

While the FTC's initial focus in the Start with Security initiative has been on providing guidance to small and medium-sized businesses, it also serves to put companies of all sizes on notice that the FTC will be increasingly targeting security practices relating to emerging technologies, apps and connected household devices. We will monitor the initiative closely as it evolves. The lawyers in WilmerHale's Cybersecurity, Privacy and Communications Practice are available to discuss the implications of this initiative and to help clients develop strategies for avoiding scrutiny by the FTC and other regulators in this area.

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel