In a recent blog post, Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, describes how the agency has improved its orders in data security cases.
In the post, published Monday, Smith notes the FTC has made “significant improvements” to its data security orders in 2019. These improvements are reflected in seven orders announced in 2019 against an array of diverse companies. He specifically cited the ClixSense, i-Dressup, and DealerBuilt cases, as well as the D-Link, Equifax, Retina-X, and Infotrax cases.
Smith said the improvements fall into the following three categories:
More specificity. “They continue to require that the company implement a comprehensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint,” Smith said. He cited annual employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption as examples. “These requirements not only make the FTC’s expectations clearer to companies, but also improve order enforceability,” he said.
Increased third-party assessor accountability. “We still rely on outside assessors to review the comprehensive data security program required by the orders, and now we require even more rigor in these assessments,” he said. For example, the orders “clearly and specifically” require assessors to identify evidence to support their conclusions, including independent sampling, employee interviews, and document review. The assessors must retain documents related to the assessment and cannot refuse to provide those documents to the FTC on the basis certain privileges.
“Perhaps most importantly,” he said, “our new orders give us the authority to approve and re-approve assessors every two years. If an assessor falls down on the job, we will withhold approval and force the company to hire a different assessor.”
Elevated data security considerations to the C-Suite and boards. Every year, companies must present their board or similar governing body with a written information security program, “and, notably, senior officers must now provide annual certifications of compliance to the FTC. This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year,” he said. “Requiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.”
To this point, Smith pointed to research that suggests the FTC’s efforts to improve corporate governance on data security issues are timely and well-founded. According to one survey, conducted by Protiviti, boards are becoming increasingly involved in cyber-security governance.
“Some studies suggest that board attention to data-security decisions can dramatically improve data safeguarding,” Smith said. He cited one study that found a 35 percent decrease in the probability of information-security breaches when companies include the chief information security officer (or equivalent) in the top management team and when the CISO has access to the board. “Our new orders are consistent with this research,” he said. “They create additional incentives for high-level oversight of, and appropriate attention to, data security.”