The Federal Trade Commission is seriously turning up the heat on the data security compliance requirements companies must meet in the event of an FTC enforcement action following a data breach.
In a trio of recently proposed settlements, the FTC alleged the companies’ poor data security practices led to breaches that exposed the personal information of millions of consumers. Most striking about all three settlements are the many new data security compliance requirements that the consent orders impose. “What we are seeing is more specificity,” says Michael Morgan, leader of the global privacy and cyber-security practice at law firm McDermott Will & Emery.
In one complaint, filed against automobile software provider DealerBuilt, the FTC alleged DealerBuilt stored and transmitted the personal information it collected from its auto dealer clients—including birthdates, social security numbers, and bank account information—without encrypting it and without any access controls or authentication protections, exposing the personal information of 12.5 million consumers.
The proposed settlement, announced June 12, requires DealerBuilt to implement specific, enforceable safeguards that address the failures alleged in the complaint—for example, the company must conduct annual employee training on how to safeguard personal information, implement data access controls, encrypt all social security numbers and financial account information on its computer networks, and monitor its systems for data security incidents. “The consent order does provide some guidance as to what the FTC considers appropriate given the facts set forth in the complaint,” says Katherine Armstrong, counsel at Drinker Biddle.
The DealerBuilt settlement follows two other consent orders, both announced April 24, against online rewards website Clixsense and the now-defunct virtual dress-up website i-Dressup for similar security failures. “The orders obtained in these matters contain strong injunctive provisions, including new requirements that go beyond requirements from previous data security orders,” the FTC Commissioners said in a statement.
For example, all three proposed settlements—Clixsense, i-Dressup, and now DealerBuilt—contain explicit new requirements for conducting, documenting, and reporting self-assessments of risks and the sufficiency of security safeguards. They also impose new obligations on senior managers or officers to provide annual compliance certifications to the FTC and impose enhanced third-party obligations for assessing companies’ data security practices.
“The orders obtained in these matters contain strong injunctive provisions, including new requirements that go beyond requirements from previous data security orders.”
In the Clixsense action, the FTC alleged the website’s inadequate data security measures allowed hackers to gain access to consumers’ sensitive information through the company’s network. According to the FTC’s complaint, even though ClixSense stated on its website that it “‘utilizes the latest security and encryption techniques,’” the FTC said this was false and deceptive information, as ClixSense “did not adopt even the minimal data security measures prescribed by most data security professionals.” Such vulnerabilities allowed hackers to expose the personal information of 6.6 million consumers.
In the i-Dressup action, the FTC alleged i-Dressup stored and transmitted users’ personal information, including passwords, in plain text; failed to perform network vulnerability testing of its network; failed to implement an intrusion detection and prevention system; and failed to monitor for potential security incidents. Consequently, i-Dressup’s website operator, Unixiz, violated provisions of the Children’s Online Privacy Protection Act by, among other things, failing to deploy “reasonable” security measures for the personal information it collected. In September 2016, i-Dressup discovered a hacker compromised the personal information of 2.1 million of its users, including 245,000 children. Less than two years later, the U.S. Division of Consumer Affairs forced the site to shutter its doors due to the breach and the lack of data protection controls in place.
Analyzing the trio of FTC consent orders together, several new data security compliance expectations have emerged:
Implement a comprehensive information-security program. Some of the provisions in the latest consent orders echo what the FTC has been requiring in its data security settlements for several years, like the requirement to have in place a comprehensive information-security program that’s designed to protect the personal information the company handles and to designate at least one employee to coordinate and be responsible for that program. Each company must also identify internal and external risks to personal information and to design, implement, test, and monitor the effectiveness of safeguards that are put in place.
Choose your service providers wisely. Other standard provisions in past and current FTC consent orders require companies to select and retain service providers who can implement appropriate security measures to safeguard personal information. As the FTC’s guidance “Start with Security” suggests, be candid about your security expectations, insist that appropriate security standards are part of your contracts, and monitor that service providers are meeting your expectations.
Annually conduct self-assessments. Unlike past consent orders, the new consent orders contain explicit timing requirements. In the DealerBuilt, i-Dressup, and ClixSense consent orders, for example, the FTC specifies that the companies assess, test, and monitor at least once a year and promptly following a security breach the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of personal information, and modify the information-security program based on the results.
“The requirement to do those assessments annually may well be a pain point for many companies,” Morgan says. “Often, these assessments take many months, so companies that are under the obligation to collect annual assessments may feel like they are constantly in assessment mode.”
Document all risks. The orders also include explicit new documentation requirements. The companies must, for example, document both internal and external risks and the relevant safeguards, and require each company to document the “content, implementation, and maintenance” of the information-security program.
Assign an officer to provide annual compliance certification to the FTC. Unlike previous consent orders that required companies to file “true and accurate” reports with the FTC, the new certification requirements raise the bar by requiring that a senior manager or officer communicate to the FTC annually that the company has established, implemented, and maintained the information-security program and is not aware of any material non-compliance that has not been corrected or disclosed to the FTC.
From a compliance standpoint, signing off on these certifications may prove challenging. “This certification must be based on either personal knowledge or the knowledge of subject-matter experts upon whom the manager or officer reasonably relies,” Morgan says. Such subject-matter experts may include, for example, those who have designed the controls and implemented the information-security program.
That means ensuring that information about the maturity of the program is communicated up through the organization in a way that bulletproofs the certification of that senior manager or officer. For compliance officers and general counsel, that will generate a lot of questions as to how to achieve that level of reasonable reliance, Morgan says.
While the FTC consent orders call on companies to obtain initial and biennial assessments from third-party assessors, the new consent orders alter the scope of these assessments. Specifically, the FTC Commissioners said they are “particularly committed to strengthening the order provisions regarding data security assessments of companies by third parties” and that “future orders will better ensure that third-party assessors know they are accountable for providing meaningful, independent analysis of the data practices under examination.”
Previous consent orders required the third-party assessor to set forth the specific safeguards implemented by the company, explain why the safeguards are appropriate and how they protect consumers’ personal information collected by the company, and then certify that the company’s program is operating effectively.
In addition to meeting these obligations, third-party assessors must now determine whether the company, in fact, adheres to the information security program; assesses the effectiveness of the implementation and management of the program; and identifies any gaps or weaknesses in the program. Also, unlike past orders, the new consent orders expressly require responding companies to cooperate with the third-party assessor and prohibits misrepresenting in any manner “any fact material” that would hinder the assessor from making a true and accurate determination.
The FTC consent orders, while serving as valuable guidance, still need to be taken with a grain of salt. “There is no one-size-fits-all for what is appropriate data security,” Armstrong says. “It really is based on what is appropriate for a particular company based on the type of data collected and how it is used.”
Prudent compliance officers and legal counsel, however, will want to pay attention to future FTC consent orders, as more changes may be forthcoming. “[W]e anticipate further refinements, and these orders may not reflect the approach that we intend to use in every data security enforcement action going forward,” the Commissioners have said.
“Since joining the Commission, we have instructed staff to closely review our orders to determine whether they could be strengthened and improved, particularly in the areas of privacy and data security,” the Commissioners said. “Through ongoing discussions both internally and with external stakeholders … we continue to consider changes to our orders. We will adjust our data security orders, as needed, to reflect our ongoing discussions regarding the FTC’s remedial authority and needs, as well as the specific facts and circumstances of each case.”