Summary of article from Federal Trade Commission, Office of Technology:
The FTC has been enforcing national consumer protection laws for over two decades, focusing on companies with inadequate security practices such as failing to encrypt sensitive data and not using multi-factor authentication. The FTC and the Cybersecurity and Infrastructure Security Agency (CISA) recommend practices like root-cause analysis of vulnerabilities, using template rendering systems for Cross-Site Scripting (XSS) vulnerabilities, query builders for SQL injection vulnerabilities, and memory-safe programming languages for buffer overflows and use-after-free vulnerabilities. CISA’s Secure by Design Alert Series offers additional strategies to protect systems from design issues leading to security incidents. The FTC asserts that companies have a legal obligation to protect consumers’ data, with violations leading to enforcement actions.