On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders. In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities. Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders. Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.
The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements. The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.
As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability. These changes fall into the following three categories:
(1) The orders are more specific.
(2) The orders increase third-party assessor accountability.
(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.
Specific Prescriptive Requirements. To begin, with respect to specificity, the orders still require a company to “implement a comprehensive, process-based data security program.” However, enforcement orders now contain specific safeguards to address alleged problems, such as “yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.”
Third-Party Assessor Oversight. Next, FTC enforcement orders now require outside assessors to conduct an even more rigorous review of the comprehensive data security program required by the orders. Smith’s blog post outlines the following example: “the orders clearly and specifically require assessors to identify evidence to support their conclusions, including independent sampling, employee interviews, and document review.” Moreover, Smith notes that, perhaps most importantly, the new orders provide the FTC with the ability to approve and re-approve assessors every two years.
Corporate Governance and Oversight. Finally, the FTC’s new orders raise data security issues to the C-Suite and the Board. In relevant part, companies are now required to present their Board with a written information security program and senior officers must now provide annual certifications of compliance to the FTC. Smith further explains that the FTC’s efforts to “improve corporate governance on data security issues are timely and well founded.”
As cybersecurity is an increasingly important area of concern for organizations, the FTC’s efforts in this area remain worthy of continued attention. Other areas of possible risk related to data security incidents include enforcement actions by other regulators, such as the SEC (issuers of securities and certain financial institutions or services providers) and the Department of Health and Human Services (health), active consumer class actions, and securities and derivative litigation cases.