In a recent blog post, the Federal Trade Commission highlighted three key changes it made in 2019 in its approach to issuing orders in data security enforcement matters.  As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, in the blog post, the agency intends for these changes to strengthen consumer protections while providing companies with more specific and actionable guidance about how to improve their data security practices.  However, the FTC’s shift in approach may also have an impact on how companies view risks associated with FTC enforcement, as the changes could result in additional obligations for a company and members of its senior leadership team.

First, the FTC described changes it has made to provide greater specificity in its data security orders.  In the FTC’s blog post, it characterized the language used in most FTC data security orders issued over the past two decades as having contained “fairly standard language” requiring companies to implement comprehensive information security programs that are subject to a biennial external assessment.  In seven data security orders it has issued in the past year, however, the FTC explained that it supplemented the general data security program requirement by mandating specific measures that companies must take to address the problems alleged in each individual complaint.  In the FTC’s view, these requirements were tailored to the type of business involved and the issues identified in the FTC’s complaint, including requirements to implement annual employee training programs, access controls, monitoring systems for data security incidents, patch management systems, and security measures such as encryption.  The FTC’s blog post notes that this increased specificity will not only provide clearer guidance to companies on the front end, but also facilitate enforcement of the order.  (The focus on enforceability is particularly salient in light of the Eleventh Circuit’s 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague.)

The blog post also described the FTC’s changing approach to the use of third-party assessors in connection with its data security enforcement orders.  The FTC’s post explained that the agency often relies on outside assessors to review a company’s comprehensive data security program as required by its orders.  Its recent orders impose more explicit requirements regarding the identification and documentation of the specific evidence these assessors rely upon to facilitate the FTC’s review of their conclusions.  Importantly, the FTC’s blog post indicates that assessors will not be able to refuse to turn over assessment documents to the FTC on the basis of certain privileges.  This could significantly limit companies’ ability to conduct assessments under applicable privileges to encourage candid discussions of their information security practices.  The FTC has also added language to its data security orders giving it the authority to approve and reevaluate these assessors every two years, which could allow the FTC to require a company to hire a different assessor if the FTC believes the current assessor is ineffective.

Finally, the FTC has added requirements to its data security orders to increase the visibility of data security considerations at the senior leadership level.  These orders now require companies to present a written explanation of the information security program and any evaluations or updates to the company’s board or most senior governing body.  The orders also require senior officers to provide annual certifications of compliance to the FTC, personally corroborating that the key provisions of the order have been followed.  The FTC explained that it adopted this approach after similar strategies in other areas, such as enforcement of securities laws, have resulted in improved compliance.  This increased responsibility for companies’ senior leadership may require these individuals to become more engaged in the details of the company’s information practices in the event of an FTC enforcement action.

Taken together, the FTC’s explanations for recent changes to its data security enforcement approach suggest that the FTC is focused on enforceability of its data security orders, and is not tied to its current or prior approaches in this area.  In addition to the changes it has already made, the FTC’s blog post suggests that it may continue to evaluate and update its approach to data security orders with an eye towards enforceability and protecting consumers.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes…

Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.