FTC Touts Revisions To Its Data Security Orders
On January 6, Andrew Smith, the Director of the Federal Trade Commission’s (FTC or Commission) Bureau of Consumer Protection, published a notable blog post touting revisions that the FTC made to its data security orders in 2019. He identified three key changes the Commission made over the past year: (1) more specificity; (2) greater third-party assessor accountability; and (3) elevation of data security considerations to the C-Suite and Board level. The agency’s orders are relatively standardized, and the agency does not often announce order changes, so the Director’s announcement here signals some of the agency’s key priorities in data security. We discuss each change in turn.
First, the FTC highlighted that its 2019 orders were “more specific” than prior orders. This trend is something we previously flagged in the Commission’s settlement with LightYear Dealer Technologies last June. Director Smith explains that this change stemmed—in part—from the Eleventh Circuit LabMD decision from 2018 that struck down an FTC order as unenforceable for vagueness. The post highlights that FTC data security orders now require “specific safeguards” to address problems flagged by the Commission, including:
monitoring systems for data security incidents;
patch management systems; and
Second, the FTC explained that its orders increase third-party assessor accountability. The FTC uses third-party assessors to ensure that parties are complying with the agency’s data security orders. The new orders lay out specific requirements for assessors, including an obligation to retain relevant documents and turn them over to the FTC upon request. The FTC’s new orders also give the agency the authority to “approve and re-approve assessors every two years” so that it can hold them accountable.
Third, and perhaps most importantly, the FTC has started to include provisions designed to elevate data security to the highest organizational levels. Director Smith highlights that “every year companies must now present their Board or similar governing body with their written information security program,” and “senior officers must now provide annual certifications of compliance to the FTC.” He argues these kinds of certifications have proven successful in other regulatory contexts—for example, in securities law—and cites research in support of improving corporate governance on data security. This is another trend we previously highlighted as part of a broader regulatory push to get boards of directors and other senior company officials involved in cybersecurity, which includes Securities and Exchange Commission guidance on the role of corporate boards in managing cyber risk.
Moving forward, the FTC is likely to continue building on these three areas of focus. Director Smith notes that “strengthen[ing]” the agency’s data security orders was a priority of both himself and Chairman Simons when they arrived at the agency in 2018, and this announcement and the agency’s recent enforcement actions provide further indication that data security will remain a priority this year. In particular, the focus on “elevat[ing] data security to the C-Suite and Board level,” as described in the post, suggests that the agency will continue to focus on corporate governance efforts when it comes to data security enforcement in 2020 and beyond.