• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

FTC Consumer Protection Bureau Director Highlights Efforts to Strengthen Data Security Orders

January 13, 2020 By Kathleen Benway and Emily Poole

On January 6, 2020, the Federal Trade Commission’s (FTC) Bureau of Consumer Protection Director Andrew Smith published a blog post summarizing the agency’s “New and improved FTC data security orders,” as part of its efforts to provide “better guidance for companies” and “better protection for consumers.”

Smith noted that strengthening the FTC’s orders in data security cases was one of his and Chairman Joe Simons’ first priorities. This effort follows and was likely influenced by the 11th Circuit’s 2018 LabMD decision, which declared that the FTC’s data security order against LabMD was overly vague and unenforceable, finding that the order would require LabMD’s data security program “to meet an indeterminable standard of reasonableness.”

In his blog post, Smith outlines three primary areas where the agency strengthened order provisions in enforcement actions in the last year against companies in a range of industries, including ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and Infotrax (service provider for multilevel marketers). Those areas, each of which is described further below, include increased specificity, increased accountability of third-party assessors, and improved corporate governance on data security issues.

(1)    Specificity

Smith notes that while the FTC’s orders continue to generally require companies to implement a comprehensive information security program, enforcement orders now include more detailed requirements pertaining to the implementation of specific information security safeguards. Recent examples cited in the blog post include requirements to implement employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.

(2)    Third-Party Assessor Accountability for Post Enforcement Reporting

The FTC’s recent orders contain more rigorous requirements for the third-party assessors that review an entity’s data security program as part of an FTC enforcement order. For example, assessors are required to identify specific supporting evidence for their conclusions, and documentation generated by assessors as part of the review cannot be withheld from the FTC on the basis of certain privileges, such as attorney client privilege, attorney work product, or proprietary or trade secrets. Moreover, the FTC’s orders allow the FTC to re-approve qualified assessors every two years.

(3)    C-Suite and Board Involvement

The FTC’s recent orders also specify that certain data security considerations must be elevated to a company’s senior executives and/or Board. Citing to research that reflects the positive correlation between a board’s security awareness and the overall strength of a company’s cybersecurity program, the FTC’s blog post highlights certain steps that companies may be required to take, such as presenting the Board with the company’s written information security program or providing the FTC with an annual certification of compliance from the company’s senior officers.

Filed Under: Cybersecurity, Data Security, Enforcement Tagged With: Federal Trade Commission (FTC)

About Kathleen Benway

Kathleen concentrates her practice on government investigations and corporate compliance related to consumer protection issues, including privacy, security, advertising, and marketing. She is a former chief of staff at the FTC’s Bureau of Consumer Protection.

[Read Bio]

About Emily Poole

Emily Poole is an associate on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.