Synopsis: On January 6, 2020, Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, outlined in a blog post the agency’s new approach to data security orders. The agency implemented this approach in 2019 following a December 2018 hearing it held on the topic and an 11th Circuit decision that struck down a data security order as unenforceably vague. Elevating data security considerations to the C-Suite and Board level and increasing third-party assessor accountability are key features of its new approach, which Smith described as resulting in “significant improvements.”

The FTC’s “improvements” fall into the following three categories:

Elevated data security considerations to the C-Suite and board level. Companies must now present their boards with a written information security program annually. Senior officers then must provide annual certifications of compliance to the FTC with an order’s provisions. As support for the FTC’s efforts to improve corporate governance on data security, the FTC cited a number of studies, including one that “found a 35% decrease in the probability of information security breaches when companies include the Chief Information Security Officer (or equivalent) in the top management team and the CISO has access to the board.”

More specificity. The orders continue to require that a comprehensive information security program is implemented, but now provide more specificity on how that is to be accomplished. As previously mentioned, this change was prompted in part by a 2018 case in which the Eleventh Circuit vacated an FTC order as unenforceably vague. The FTC had ordered LabMD to implement a comprehensive information security program that included: 1) designated employees accountable for the program; 2) identification of material internal and external risks to the security, confidentiality and integrity of personal information; 3) reasonable safeguards to control identified risks; 4) reasonable steps to select service providers capable of safeguarding personal information and requiring them to do so; and 5) ongoing evaluation and adjustment of the program. The court concluded that the order “mandate[d] a complete overhaul of LabMD’s data-security program and [said] precious little about how this [was] to be accomplished.”

The orders now require companies to implement specific safeguards targeted at addressing problems alleged in the complaint. Smith gave a number of examples of such safeguards, including yearly employee training, encryption, monitoring systems for data security incidents, patch management systems, and access controls.

Increased third-party assessor accountability. A third improvement focuses on increasing the rigor of third-party assessors. The FTC continues to rely on outside assessors to review the implementation of the comprehensive data security programs required by the orders. For each biennial assessment, the FTC now has the authority to approve or reject the selected assessor. The orders also require assessors to identify specific evidence to support their conclusions, including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted. Documents related to the assessment must be maintained, and the assessor cannot refuse to provide such documents on the basis of certain privileges.