The Federal Trade Commission (FTC) has taken more than 25 actions alleging that inadequate information security constituted an unfair trade practice in violation of the FTC Act. In these enforcement actions, the FTC has targeted corporations for failure to implement “reasonable and appropriate security measures” and requires in the subsequent consent orders that the organizations implement a comprehensive written information security program and submit to thirdparty assessments of that program every other year for the duration of the order (usually 20 years).
But what does “reasonable security” really mean? And more important, how do you apply reasonable security measures to your business? Although you can rely to some extent on technology standards and industry best practices, information security law has evolved to a point where case law and FTC enforcement actions are a source of some suggestions.
Please see full publication below for more information.