Yesterday, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, announced the following three major improvements that have been made to FTC orders in data security cases:
- Specificity: To counter past criticisms that FTC orders to implement comprehensive information security programs were too vague, FTC orders will now require specific security safeguards that address specific allegations in the complaint brought against each company.
- Third-party assessor accountability: FTC orders will now give the FTC authority to approve (and re-approve every two years) the third-party assessors that are tasked with reviewing comprehensive data security programs. Assessors can no longer be a rubber stamp, but must provide the FTC with documents supporting conclusions reached in any assessment, so that the FTC can investigate compliance with and enforce its orders.
- Executive responsibility: Copying other legal regimes, such as the New York Department of Financial Services Cybersecurity Regulations, FTC orders will now require companies to present to their Boards about their written information security program every year, so that senior officers can provide annual certifications of compliance to the FTC. (Director Smith stated that he believes that holding individuals personally accountable under oath is an effective compliance mechanism to incentivize high-level oversight of, and appropriate attention to, data security.)
In his announcement, Director Smith referenced several FTC 2019 data security orders that reflect these improvements. Companies that find themselves subject to FTC investigation should be mindful of and prepared for the evolving nature of the FTC’s data security orders in the areas involved in these orders.