FTC Provides Recommendations on Preventing and Mitigating Cyber Risks in Developing AI and Other Products
On December 13, 2024, the Federal Trade Commission’s Office of Technology and Division of Privacy and Identity Protection posted a set of recommendations related to the security risks posed by developing products like AI, targeted advertising and surveillance pricing tools.
The overarching risk the FTC identifies in relation to product development is the potential for companies to create “valuable pools” of personal information that can be targeted and exploited by bad actors. Essentially, developing more and better datasets creates more cyber risk, particularly in the form of data breaches and digital threats like ransomware. The FTC’s recommendations focus on security practices in data management, software development and product design for humans, pointing to a number of recent enforcement actions as examples of security failures.
- Security in data management: The FTC highlights the importance of enforcing retention schedules, limiting third-party data sharing and encrypting sensitive data. Notably, the FTC also recommends mandatory deletion of data that “was ill-gotten, collected or sold without user consent or knowledge,” or “unnecessarily retained,” including models and algorithms trained on such data.
- Security in software development: The FTC notes the criticality of applying principles like “secure by design” to the development stage, including measures like building products using memory-safe programming languages, implementing rigorous testing (g., pre-release scanning and vulnerability testing), and securing external product access.
- Security in product design for humans: The FTC stresses the ongoing risk of human error as a factor in security breaches, outlining mitigation measures including enforcing least privilege access control, mandating the use of phishing-resistant MFA, and designing products and services without dark patterns that influence users to share more of their personal data.
The FTC’s recommendations include various links to related FTC guidance and enforcement actions, and the agency reiterates its continued focus on digital security threats.