Since the end of 2018, the Federal Trade Commission has reportedly been considering how to strengthen the injunctive relief imposed in orders in data security cases. The FTC began its evaluation with a public hearing in December 2018 on data breaches and data breach assessments. Several months later, in March 2019, the Commission issued a statement explaining that it was examining the obligations in its orders in data security cases and mandating “new requirements” while “anticipat[ing] further refinements.” Thereafter, the FTC ultimately issued seven data security orders with specific data security practices and obligations that differed markedly from past orders.
In a recent blog post, Andrew Smith, the director of the FTC Bureau of Consumer Protection, explained the origin of these efforts and summarized the orders’ refinements. Smith acknowledged that FTC data security orders historically “contained fairly standard language,” which the Eleventh Circuit stuck down in 2018 as “unenforceably vague” when vacating an FTC cease-and-desist order against LabMD, Inc. After considering the information learned during the December 2018 hearing and the LabMD decision, the FTC focused on three areas for change: (1) proscribing “more specific” requirements for data security programs tailored to the problems alleged in the complaint; (2) increasing “third-party assessor accountability” and enhancing FTC oversight of assessors; and (3) elevating “data security considerations to the C-Suite and Board level” in the form of senior officer compliance certifications.
Some of the specific data security requirements from the first category are highlighted in the analysis of a recent settlement with InfoTrax, a web portal service provider for multilevel marketing companies. The FTC’s requirements in that settlement order cover a wide range of particular technical and non-technical features such as encryption practices, mandatory trainings, and annual penetration tests. Similarly, in the second category, the FTC has imposed concrete guidelines on third-party assessors on how to evaluate data security programs and requirements to support their assessments with evidence. In the third category, the FTC now requires senior officers to submit annual certifications of compliance, which Smith argues will “ensure better year-round governance and controls” and “improved data safeguarding.”
In sum, the blog post is a helpful guide on the types of obligations a respondent before the FTC may face and, more broadly, what data security features the FTC currently considers constitute best practices.