On January 6, 2020, the Federal Trade Commission’s (FTC) Bureau of Consumer Protection Director Andrew Smith published a blog post summarizing the agency’s “New and improved FTC data security orders,” as part of its efforts to provide “better guidance for companies” and “better protection for consumers.”
Smith noted that strengthening the FTC’s orders in data security cases was one of his and Chairman Joe Simons’ first priorities. This effort follows and was likely influenced by the 11th Circuit’s 2018 LabMD decision, which declared that the FTC’s data security order against LabMD was overly vague and unenforceable, finding that the order would require LabMD’s data security program “to meet an indeterminable standard of reasonableness.”
In his blog post, Smith outlines three primary areas where the agency strengthened order provisions in enforcement actions in the last year against companies in a range of industries, including ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and Infotrax (service provider for multilevel marketers). Those areas, each of which is described further below, include increased specificity, increased accountability of third-party assessors, and improved corporate governance on data security issues.
Smith notes that while the FTC’s orders continue to generally require companies to implement a comprehensive information security program, enforcement orders now include more detailed requirements pertaining to the implementation of specific information security safeguards. Recent examples cited in the blog post include requirements to implement employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.
(2) Third-Party Assessor Accountability for Post Enforcement Reporting
The FTC’s recent orders contain more rigorous requirements for the third-party assessors that review an entity’s data security program as part of an FTC enforcement order. For example, assessors are required to identify specific supporting evidence for their conclusions, and documentation generated by assessors as part of the review cannot be withheld from the FTC on the basis of certain privileges, such as attorney client privilege, attorney work product, or proprietary or trade secrets. Moreover, the FTC’s orders allow the FTC to re-approve qualified assessors every two years.
(3) C-Suite and Board Involvement
The FTC’s recent orders also specify that certain data security considerations must be elevated to a company’s senior executives and/or Board. Citing to research that reflects the positive correlation between a board’s security awareness and the overall strength of a company’s cybersecurity program, the FTC’s blog post highlights certain steps that companies may be required to take, such as presenting the Board with the company’s written information security program or providing the FTC with an annual certification of compliance from the company’s senior officers.