On April 28, 2021, the U.S. Federal Trade Commission (“FTC”) published a blog post reminding corporate boards of directors of their responsibility to oversee data security issues and ensure that consumer and employee data are protected.  The FTC’s post is a continuation of its efforts to “elevate data security considerations to the C-Suite and Board level.”

By way of background, the FTC noted that it has continued to challenge companies’ data security practices on the grounds of allegedly deceptive or unfair conduct.  The Commission is also actively reviewing certain data security rules targeted at safeguarding health records and consumer information held by financial institutions.

As guidance for directors seeking to improve their oversight obligations, the FTC’s blog post provides “five common-sense recommendations”:

  • Make Data Security a Priority. Corporate Boards can prioritize the importance of data security compliance by setting a tone at the top of strong security expectations.  This can be accomplished by, among other things, engaging a broad range of internal personnel from across the company on data security issues – including, for example, business, legal, and IT departments – rather than treating data security as exclusively an IT function.  The post also notes that successful Boards have held regular briefings on privacy and security risks and have taken direct ownership over cybersecurity issues, rather than delegating those duties.
  • Understand the Cybersecurity Risks and Challenges Your Company Faces. Boards should have a “sophisticated grasp” on the particular cybersecurity risks facing their organization and allocate resources appropriately to address those risks.
  • Don’t Confuse Legal Compliance With Security. With cybersecurity threats continually evolving, ensuring cyber compliance cannot be reduced to a simple checklist of technologies or policies.  Instead, Boards should ensure that their data security practices actually address the unique risks, data, and technology of their companies.
  • It’s More Than Just Prevention. In addition to having reasonable security precautions in place to protect against a data breach, Boards should be prepared to swiftly respond to a cyber breach if and when it happens.  “Robust” incident response plans that ensure appropriate elevation of security incidents are a necessity.
  • Learning From Mistakes. Boards should not only use prior data breaches at their companies as an opportunity to reevaluate and improve their data security compliance, but should also monitor and learn from other companies’ experiences with data breaches.

As the FTC continues to focus enforcement efforts on ensuring data security compliance, companies and Boards may benefit from reviewing recent FTC settlements to understand the particular type of data security practices the Commission has viewed as reasonable or adequate.  And with the increasing frequency of data breaches and cyber incidents, it is more important than ever that organizations prepare in advance before a crisis unfolds.  To learn more, please download our Global Crisis Management Handbook.