FTC announces new and improved data security guidance
On January 6, 2020, Andrew Smith, Director of the Federal Trade Commission (FTC) Bureau of Consumer Protection, announced three significant improvements to the FTC’s approach to data security enforcement cases. The improvements fall into three categories:
1) Greater specificity: The FTC will continue to require that a company implement a comprehensive, process-based data security program, but now require that the company implement specific safeguards, such as yearly employee training, access controls, monitoring systems, and encryption. The FTC believes these specific safeguards will provide more clarity to companies and enhance order enforceability.
2) Increased third-party assessor accountability: The FTC will continue to require outside assessors to review a company’s comprehensive data security program, but the review must now be more rigorous. Assessors are now required to substantiate their conclusions with evidence, retain documents related to the assessment, and cannot invoke privilege when asked to provide those documents to the FTC. The FTC now also has the authority to approve and re-approve assessors every two years, allowing them to require companies to hire new assessors if they aren’t meeting certain expectations.
3) Boards and C-Suite have a more active stake in data security matters: Every year, companies must now present their Board or governing body with their written information security program, and senior officers must now provide annual certifications of compliance with the security programs to the FTC. The FTC desires a company’s senior leadership to be more involved in complying with key data security guidelines. These changes are consistent with research that suggests that increased oversight at the executive level dramatically improves the company’s data security safeguarding.
The FTC has already incorporated these improvements into seven orders it made against companies in 2019. Although the results of these new changes have yet to be seen in enhancing cybersecurity nationwide, the changes no doubt address gaps in companies’ data security programs that have led to serious and large-scale breaches of consumer information in the past few years. The FTC’s efforts to address cybersecurity are intended to protect consumers but will require businesses to devote additional resources to counter a problem that is not likely to go away any time soon.