New FTC Data Security Orders Provide Better Guidance and Protection

The Federal Trade Commission announced new data security orders on January 6. The changes “improve data security practices and provide greater deterrence, within the bounds of our existing authority.” The FTC announced seven new orders against “ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and Infotrax (service provider for multilevel marketers).” These orders were issued in 2019 upon improvement from a December 2018 hearing and the 2018 LabMD decision, in which a court denied an FTC data security order for being unenforceably vague.

The FTC noted three categories of improvement: the orders are more specific, they increase third-party assessor accountability, and they elevate data security considerations to the C-Suite and Board level. These improvements are meant to provide better guidance to companies and protection to consumers.

The new orders are more specific. According to the FTC, these orders “continue to require that the company implement a comprehensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint.” Examples of requirements include annual employee training, access controls, monitoring, and encryption. The improvements clarify the FTC’s expectations for companies and improve enforceability.

The FTC uses third-party assessors “to review the comprehensive data security program required by the orders,” which will now be more rigorous. For example, third-party assessors must determine supportive evidence for their assessment, such as documentation and employee interviews. Assessors must keep the evidence and cannot refuse to supply the FTC with said evidence. The FTC needs this information because it is “better able to investigate compliance and enforce orders.”

The new orders increase data security concerns to the C-Suite and Board level. For example, now companies must show their Board written documents about its security program annually; in turn, senior officials must supply the FTC with annual compliance certificates. Thus, senior officials will have detailed information about their company’s security program, allowing them to personally verify FTC compliance. The FTC stated, “[r]equiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.”

The FTC believes that its decision to have Board and senior officials involved will help improve compliance and data security issues and programs. The FTC cited a study that “found a 35% decrease in the probability of information security breaches when companies include the Chief Information Security Officer (or equivalent) in the top management team and the CISO has access to the board.”