In a January 6, 2020 blog post, Director of the Federal Trade Commission (“ FTC”) Bureau of Consumer Protection, Andrew Smith, outlined the agency’s evolving approach toward data security enforcement, as evidenced by seven data security orders issued in 2019. The FTC expects the changes, detailed below, to result in clearer guidance for companies:
- Data security orders will be specific. Companies should no longer expect the standard language that has characterized data security orders since the early 2000s. Forthcoming FTC orders will provide clearer guidance and require companies to implement safeguards that are responsive to specific allegations. Smith writes that the FTC expects a greater degree of specificity will make it easier for the agency to enforce its orders, likely heeding the 11th Circuit’s holding in the 2018 LabMD decision vacating the order in that case for vagueness.
- Assessors will be held accountable. Where the FTC orders the appointment of a third-party assessor, companies should expect increased FTC scrutiny with respect to the quality of the assessor. Forthcoming orders will require third-party assessors to provide the FTC with evidence of their conclusions and any supporting documentation upon request, which may not be withheld on a claim of confidentiality, work product protection, attorney-client privilege or similar claims. Going forward, orders will also grant the FTC authority to approve and re-approve assessors every two years, to ensure maximum accountability.
- Governing bodies will have data security oversight. Relying on studies that suggest greater board attention to data security has a positive effect on a Company’s data safeguards, Smith writes that future FTC orders will require companies to present to their governing bodies written copies of their information security programs. The FTC will require senior officers to provide certifications of compliance (under oath) to the FTC on an annual basis, mirroring the U.S. securities law regime, with the aim of incentivizing management to engage personally in data security compliance.
Smith’s recapitulation of the agency’s thinking on data security enforcement is helpful for companies in developing their own data security regimes. As the agency’s approach in this area continues to evolve, the transparency reflected in the FTC’s blog post is welcome and important.
The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.