The FTC Speaks
On January 6, 2020, the Director of the Federal Trade Commission’s (FTC) Consumer Protection Bureau published a blog post with changes to the FTC’s approach to its orders and settlements of data breach enforcement actions. One of the key elements of the report was a revision to the FTC’s routine enforcement practice to ensure that its remedial data security orders include greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.
Beyond greater detail guiding data security requirements, the blog post highlights that a core element of the FTC’s model for remedial orders is that senior management, on at least an annual basis, present the company’s written information security program to the board or other governing body for oversight and review, and that management certify to the FTC that the company has complied with data security obligations.
The Growing Role of Managers and Boards in Data Security
The decision by the FTC reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks. While this is not the first time boards of directors have been held accountable for the security practices of the companies they represent, it shows that this obligation has become mainstream and should be noted by all companies, whether they are the victim of a breach or not.
The FTC’s endorsement of data security-related corporate governance approaches, safeguards, and third-party monitoring methods is likely to impact enforcement expectations of other regulators, whether state, federal or local, responsible for administering data security compliance and breach notification regulations.
Impact on Business
Businesses regularly collect vast amounts of personal information, and often are unaware of the extent, location and accessibility of that information. Moreover, businesses rely on third parties to collect, store, and process data, and the responsibility for the protection of personal data – customer, client and employee data – is a hot potato. Companies are only now reviewing their internal operations, as well as their relationships with vendors, to inventory their data and data collection practices. The FTC’s rule makes it clear that the responsibility for the protection and privacy of personal information will reach to the top of the business.
The CCPA Speaks
The stakes in this battle have been raised with the introduction of California’s Consumer Privacy Act (CCPA) which, among other things, requires businesses subject to the Act to implement reasonable security standards, and authorizes individuals to bring private rights of action in the case of a data breach where an individual can show that the reasonableness standard was not met. Most importantly, the CCPA provides for damages of between $250 and $750 for each violation. Given that the number of impacted records in even a modest data breach reach into the thousands, the stakes for failure to take data security seriously have been raised.
Companies should be aware that they may be subject to the CCPA even if they do not fall under the definition of a “business” under the CCPA. Since a covered business is required to monitor and control the collection and use of data by its vendors and service affiliates, those entities will find themselves contractually bound to many provisions of the CCPA.
Notably, the CCPA is not the last word – the FTC’s authority reaches beyond the companies subject to the CCPA, and many states and foreign jurisdictions are imposing obligations as well.
What Should You Do?
In its 2016 California Data Breach Report, the California Attorney General included an appendix that sets out in detail the information security framework endorsed by the Attorney General, and it remains one of the few documents that sets out a standard for a minimum level of information security. The report states that: “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
All companies should pay close attention to this standard. It is likely that in an Attorney General regulatory action or private right of action initiated after a breach, a crucial inquiry will be directed at what kind of information security framework was in place, was it appropriate for the organization, was it being followed, and did the highest levels of management address the framework.