On January 6, 2020, the Director of the Federal Trade Commission’s (FTC’s) Bureau of Consumer Protection, Andrew Smith, published a blog post highlighting recent changes to the Commission’s enforcement orders relating to data security. Industry leaders, law practitioners, Congress, and even the courts have been critical of aspects of the Commission’s data security orders. In the post, titled New and improved FTC data security orders: Better guidance for companies, better protection for consumers, Smith acknowledges that, upon arriving at the FTC, strengthening the FTC’s orders in data security matters was among Chairman Joseph J. Simons and his first priorities. Smith’s blog post is a useful roadmap to help understand the practices the Commission requires of companies under its orders. Lawyers often look to these orders to distill advice for clients in a challenging area where the public shaming of companies after data security incidents is rampant.
The FTC began working towards specific improved data security orders in 2019, and Smith cites seven different 2019 data security orders in an effort to lay out some of these improvements. The improvements, he notes, resulted in part from a December 2018 FTC hearing addressing areas of improvement for data security orders, as well as a 2018 Eleventh Circuit Court of Appeals decision.
As a result, Smith highlights three major changes that “improve data security practices and provide greater deterrence” for companies and enhance enforceability. These changes fall into the following three categories:
(1) The orders are more specific.
(2) The orders increase third-party assessor accountability.
(3) The orders elevate data security considerations to the C-Suite and Board level via executive certifications modeled after similar certifications in securities and other laws.