Taking Care of HR Business
        A blog from the attorneys of Verrill

        It’s Not Just Hillary Clinton Who Has to Worry About Security Protocols

        by Robert Laplaca on August 7, 2015

        Last month, the FTC issued new “guidance” on data security for companies that collect, store, and use consumer data. This guidance “summarizes the lessons learned from more than 50 law enforcement actions the FTC has announced so far.” The full text of the FTC’s Start with Security: A Guide for Business can be found at https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business. Considering the implications that a security breach can result in, it is important that employers have in place policies and procedures that direct employees on how they should handle and use sensitive information.

        The ten lessons to learn from FTC enforcement actions are summarized as follows:

        1. Start with security. Factor security into the decision making in every part of your business – personnel, sales, accounting, IT. Don’t collect personal information you don’t need such as consumer passwords. Hold onto this information only as long as you need it; if the sales transaction is complete, get rid of it. And don’t use personal information when it’s not necessary, such as training sessions.
        2. Control access to data sensibly. Keep the data accessible on a “need to know” basis. Restrict employees’ access to sensitive information stored on your network and don’t give every employee administrative control over your customer’s sensitive information.
        3. Require secure passwords and authentication. Businesses may want to consider protections such as a two-factor authentication. Don’t make it easy for unauthorized persons to guess administrative passords; “1234” is not a secure password. Store passwords securely, not in clear, readable text on in cookies. Guard against brute force attacks, such as a hacker’s use of automated programs to mine for passwords. Restrict the number of login attempts and suspend or disable accounts after repeated login attempts fail.
        4. Store sensitive personal information securely and protect it during transaction. Use strong cryptography to secure confidential material during storage and transmission. Keep sensitive information secure through its lifecycle, make sure your service cannot easily decrypt the information. Use industry-tested and accepted methods for encryption.
        5. Segment your network and monitor who’s trying to get in and out. Use tools like firewalls and intrusion detection to limit access between computers and monitor your network activity. Limit computers from one in-store network from connecting to computers on other in-store and corporate networks. Monitor activity on your network to detect unauthorized access early.
        6. Secure remote access to your network. Make sure the cellphones you give out to employees are properly secured. And don’t allow unlimited access to third parties, such as clients, make sure they have firewalls and updated antivirus software, restrict connections to specified IP addresses and grant temporary, limited access to third parties.
        7. Apply sound security practices when developing new products. Think about security during the development process of new apps, software, etc. This should include training your engineers in securing code, following platform guidelines for security, verifying that privacy and security features work, and testing for common vulnerabilities.
        8. Make sure your service providers implement reasonable security measures. Before hiring an outside service provider, tell them about your security expectations and ensure that they can implement appropriate security measures. It helps to put the appropriate security standards in your contract with the provider and to verify that the service provider implements an information collection system consistent with your requirements.
        9. Put procedures in place to keep your security current and address vulnerabilities that may arise. Securing your software and networks is an on-going process. You need to update and patch third-party software when it becomes outdated, heed credible security warnings and act quickly to fix them.
        10. Secure paper, physical media, and devices. The lessens for network security apply equally to paper and physical media such as hard drives, laptops, flash drives and disks. Don’t allow sensitive consumer information to be easily accessible. Protect devices that process personal information. And keep safety standards in place when the data is en route. For example, use mailing methods with tracking capability and limit your employees’ ability to take sensitive files outside of the office.

        Employers should keep these factors in mind when hiring and terminating staff. At the hiring or promotion stage, in addition to having strong consistent policies already in place, confidentiality agreements can be instituted to further protect data and provide an additional means of legal relief. Additionally, at the termination stage, make sure that you have the ability to wipe data from separating employees’ devices, and the ability to change passwords/access so that you don’t have employees breaching security as they are being kicked out the door. For further information on the FTC’s guidance and your responsibilities as they relate to employee management, contact Verrill Dana’s Promotions or Labor and Employment Practice Groups to discuss.

        Taking Care of HR Business

        Human resource professionals, supervisors, and company executives are constantly confronted with a changing legal landscape. Verrill’s Taking Care of HR Business blog is designed to keep you informed about the latest and most significant legal developments that affect employers.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...
        Blog

        Will the Knicks Beat the Spurs? (Are Prediction Market Event Contracts Gambling?)

        For those of you who like to keep score, currently 18 states are engaged in litigation over prediction markets, such as Kalshi and Polymarket,...
        Alerts and Newsletters

        DOJ Announces Faster Review and Enhanced Enforcement for Benefits-Fraud FCA Matters

        On May 27, 2026, the U.S. Department of Justice (DOJ) Civil Division issued a new memorandum, “Accelerating Review and Enhancing Enforcement in...
        Alerts and Newsletters

        DOJ Announces Minnesota Health Care Fraud Takedown; Signals Intensified Medicaid Enforcement Nationwide

        On May 21, the Department of Justice (“DOJ”) announced a first-of-its kind Minnesota Health Care Fraud Takedown charging 15 defendants, including...