In a recent blog post, the Federal Trade Commission highlighted three key changes it made in 2019 in its approach to issuing orders in data security enforcement matters. As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, in the blog post, the agency intends for these changes to strengthen consumer protections while providing companies with more specific and actionable guidance about how to improve their data security practices. However, the FTC’s shift in approach may also have an impact on how companies view risks associated with FTC enforcement, as the changes could result in additional obligations for a company and members of its senior leadership team.
First, the FTC described changes it has made to provide greater specificity in its data security orders. In the FTC’s blog post, it characterized the language used in most FTC data security orders issued over the past two decades as having contained “fairly standard language” requiring companies to implement comprehensive information security programs that are subject to a biennial external assessment. In seven data security orders it has issued in the past year, however, the FTC explained that it supplemented the general data security program requirement by mandating specific measures that companies must take to address the problems alleged in each individual complaint. In the FTC’s view, these requirements were tailored to the type of business involved and the issues identified in the FTC’s complaint, including requirements to implement annual employee training programs, access controls, monitoring systems for data security incidents, patch management systems, and security measures such as encryption. The FTC’s blog post notes that this increased specificity will not only provide clearer guidance to companies on the front end, but also facilitate enforcement of the order. (The focus on enforceability is particularly salient in light of the Eleventh Circuit’s 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague.)
The blog post also described the FTC’s changing approach to the use of third-party assessors in connection with its data security enforcement orders. The FTC’s post explained that the agency often relies on outside assessors to review a company’s comprehensive data security program as required by its orders. Its recent orders impose more explicit requirements regarding the identification and documentation of the specific evidence these assessors rely upon to facilitate the FTC’s review of their conclusions. Importantly, the FTC’s blog post indicates that assessors will not be able to refuse to turn over assessment documents to the FTC on the basis of certain privileges. This could significantly limit companies’ ability to conduct assessments under applicable privileges to encourage candid discussions of their information security practices. The FTC has also added language to its data security orders giving it the authority to approve and reevaluate these assessors every two years, which could allow the FTC to require a company to hire a different assessor if the FTC believes the current assessor is ineffective.
Finally, the FTC has added requirements to its data security orders to increase the visibility of data security considerations at the senior leadership level. These orders now require companies to present a written explanation of the information security program and any evaluations or updates to the company’s board or most senior governing body. The orders also require senior officers to provide annual certifications of compliance to the FTC, personally corroborating that the key provisions of the order have been followed. The FTC explained that it adopted this approach after similar strategies in other areas, such as enforcement of securities laws, have resulted in improved compliance. This increased responsibility for companies’ senior leadership may require these individuals to become more engaged in the details of the company’s information practices in the event of an FTC enforcement action.
Taken together, the FTC’s explanations for recent changes to its data security enforcement approach suggest that the FTC is focused on enforceability of its data security orders, and is not tied to its current or prior approaches in this area. In addition to the changes it has already made, the FTC’s blog post suggests that it may continue to evaluate and update its approach to data security orders with an eye towards enforceability and protecting consumers.