New Trends Emerge in FTC Data Security Orders, Including Emphasis on C-Suite Involvement

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

The FTC recently summarized three major changes it made to its orders in data security cases. In a blog signaling these changes, the FTC indicated that some of the things it has been requiring of companies in 2019 are here to stay.

First, the orders have been – and will continue to be – more specific about the expectations for implementing a comprehensive data security program. Historically, orders had generally required companies to implement an information security program with reasonable safeguards to control the risks identified through a risk assessment. In more recent cases, the FTC has itemized the specific controls it expects the data security program to include. For example, training all employees at least every 12 months and encrypting certain information. Also, using access controls such as authentication and restricting connections to approved IP address.

Second, the FTC plans to hold third-party assessors that review company’s security programs more accountable. Assessors may now be expected to identify the evidence supporting their conclusions. This may include employee interviews. The FTC also plans to approve and review assessors every two years.

Finally, senior officers may be expected to provide annual certifications of compliance to the FTC as part of the order. The certification will require the senior officer to confirm that the requirements of the order have been implemented and that there’s no material instance of noncompliance.

Putting it Into Practice: Companies should be mindful of these trends when putting together 2020 strategic priorities for cybersecurity efforts. Namely, organizations should make sure training efforts can withstand the test of interviews of employees. Also, senior officers must have a meaningful understanding of a company’s information security program.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.