FTC Lessons Learned: Corporate Board Oversight

Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends

The Business Alert

On April 28, 2021, the FTC issued a business alert reminding corporate boards to make data security a priority and to advocate implementing a top-down approach to the issue. The alert warns: “In addition to the significant costs to consumers, data breaches, network intrusions, and looming cyber threats can open up a firm to substantial financial costs, reputational hits, and legal liability.” The Business Alert suggests that data security begins with corporate Board of Directors instead of the IT Department.

The Recommendations

FTC staff offered five “common-sense recommendations for conscientious directors.”

  1. Make data security a priority. This includes building a team of stakeholders from across the organization and holding regular security briefings.
  2. Understand cybersecurity risks and challenges facing the company. Board members should set priorities and allocate necessary resources.
  3. Don’t confuse legal compliance with security. The alert cautioned against adopting a “check the box” approach in favor of a security program that is narrowly tailored to the company’s unique circumstances.
  4. It’s more than just prevention. An effective security program should be enhanced with a “robust incident response plan.”
  5. Learn from mistakes, both internally and externally.

The Takeaways

The FTC staff recommendation that board members “talk the talk and walk the walk” is the key takeaway. This effort includes having tough conversations like:

  • What kind of data are we keeping and why? And where are we keeping it?
  • Are our policies and procedures adequate to protect our data?
  • Are our actual security practices in line with our policies and our public-facing statements?
  • Are our security investments and expenditures in line with our security risks and threats?

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends | Attorney Advertising

Written by:


Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.