In a recent blog post, the Federal Trade Commission highlighted three key changes it made in 2019 in its approach to issuing orders in data security enforcement matters.  As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, in the blog post, the agency intends for these changes to strengthen consumer protections while providing companies with more specific and actionable guidance about how to improve their data security practices.  However, the FTC’s shift in approach may also have an impact on how companies view risks associated with FTC enforcement, as the changes could result in additional obligations for a company and members of its senior leadership team.

First, the FTC described changes it has made to provide greater specificity in its data security orders.  In the FTC’s blog post, it characterized the language used in most FTC data security orders issued over the past two decades as having contained “fairly standard language” requiring companies to implement comprehensive information security programs that are subject to a biennial external assessment.  In seven data security orders it has issued in the past year, however, the FTC explained that it supplemented the general data security program requirement by mandating specific measures that companies must take to address the problems alleged in each individual complaint.  In the FTC’s view, these requirements were tailored to the type of business involved and the issues identified in the FTC’s complaint, including requirements to implement annual employee training programs, access controls, monitoring systems for data security incidents, patch management systems, and security measures such as encryption.  The FTC’s blog post notes that this increased specificity will not only provide clearer guidance to companies on the front end, but also facilitate enforcement of the order.  (The focus on enforceability is particularly salient in light of the Eleventh Circuit’s 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague.)

The blog post also described the FTC’s changing approach to the use of third-party assessors in connection with its data security enforcement orders.  The FTC’s post explained that the agency often relies on outside assessors to review a company’s comprehensive data security program as required by its orders.  Its recent orders impose more explicit requirements regarding the identification and documentation of the specific evidence these assessors rely upon to facilitate the FTC’s review of their conclusions.  Importantly, the FTC’s blog post indicates that assessors will not be able to refuse to turn over assessment documents to the FTC on the basis of certain privileges.  This could significantly limit companies’ ability to conduct assessments under applicable privileges to encourage candid discussions of their information security practices.  The FTC has also added language to its data security orders giving it the authority to approve and reevaluate these assessors every two years, which could allow the FTC to require a company to hire a different assessor if the FTC believes the current assessor is ineffective.

Finally, the FTC has added requirements to its data security orders to increase the visibility of data security considerations at the senior leadership level.  These orders now require companies to present a written explanation of the information security program and any evaluations or updates to the company’s board or most senior governing body.  The orders also require senior officers to provide annual certifications of compliance to the FTC, personally corroborating that the key provisions of the order have been followed.  The FTC explained that it adopted this approach after similar strategies in other areas, such as enforcement of securities laws, have resulted in improved compliance.  This increased responsibility for companies’ senior leadership may require these individuals to become more engaged in the details of the company’s information practices in the event of an FTC enforcement action.

Taken together, the FTC’s explanations for recent changes to its data security enforcement approach suggest that the FTC is focused on enforceability of its data security orders, and is not tied to its current or prior approaches in this area.  In addition to the changes it has already made, the FTC’s blog post suggests that it may continue to evaluate and update its approach to data security orders with an eye towards enforceability and protecting consumers.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less