On January 6, 2020, Andrew Smith, The Federal Trade Commission’s (“FTC”) Consumer Protection Director, outlined key changes made in 2019 to its data security orders. These changes, intended to provide improved guidance for businesses and greater protection for consumers, have been part of an ongoing effort over 2019 to enhance the Commission’s data security orders. The Commission sought to build a more rigorous foundation for its orders to survive court scrutiny, including the 11th Circuit’s 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague.
The changes to the FTC’s data security orders fall into three main categories:
1. The orders issued are more specific. The orders continue to require businesses to implement a comprehensive security program as well as specific safeguards to address problems alleged in the complaint such as annual employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.
2. The orders increase third-party assessor accountability. There is an increased rigor applied to outside assessments used to review the data security program required by the orders. Assessors must identify evidence to support their conclusions, including independent sampling, employee interviews, and document review. The assessors must retain documents related to the assessment, and cannot refuse to provide them to the FTC based on certain privileges. Additionally, the FTC may approve and re-approve assessors every two years and can force a company to hire a different assessor based on its review.
3. The orders elevate data security considerations to the C-Suite and Board level. Companies must annually present their Board or similar governing body with written information about their security program and senior officers must provide annual certifications of compliance to the FTC.
These changes have already been reflected in seven orders announced last year across a diverse array of businesses and will likely drive enforcement activity in 2020.