FTC Brings Clarity to its Data Security Enforcement Orders Following Criticism That They Were ‘Unenforceably Vague’January 22, 2020 – Alerts
Following an 11th Circuit Court decision that struck down a 2018 Federal Trade Commission (FTC) order as “unenforceably vague,” the FTC has “instructed staff to closely review [their] orders to determine whether they could be strengthened and improved – particularly in the areas of privacy and data security.” Recent enforcement orders show the FTC is now providing clear instructions on what compliance means for data security and privacy practices.
This new approach means companies that handle personal data should examine their technical and organizational data security practices to ensure they can withstand tighter agency scrutiny.
FTC’s recent enforcement orders are quite specific about the data security practices it considers to be reasonable remediation to data security failures. In a recent blog post, the FTC lists three major changes to improve its data security orders.
- Making the orders more specific. FTC defines a comprehensive security program by including specific safeguards such as yearly employee training, access controls, monitoring systems for data security incidents, patch management systems and encryption.
- Increased third-party assessor accountability. FTC expects third-party assessors to identify evidence to support their conclusions, conduct employee interviews and document their reviews. Third-party assessors must retain documents related to the assessment. Notably, assessors cannot refuse to provide documents to the FTC due to certain privileges, including the attorney-client privilege. FTC’s recent orders also permit the agency to approve and re-approve assessors every other year and withhold approval where appropriate.
- Data security considerations elevated to the C-suite and board level. Recent FTC orders have required board members to review their company's written Information Security Program and have separately required senior officers to obtain annual certifications.
In a recent decision against InfoTrax, a web portal service provider for multilevel marketing companies, the FTC found that the company failed to implement reasonable security safeguards, allowing a hacker to access personal information of more than a million consumers. InfoTrax stored sensitive personal information, including names, birthdates, addresses, Social Security numbers, payment card information, bank account information and account user IDs and passwords. No fewer than 17 times over a two-year period, an intruder exploited vulnerabilities in InfoTrax’s server, which contained unmasked personal information.
FTC tagged InfoTrax with numerous security failures, including:
- Failure to delete personal information after it was no longer needed
- Failure to assess the cybersecurity risk posed to consumers’ personal information stored on InfoTrax’s network by regularly reviewing code software and penetration testing
- Failure to detect malicious file uploads
- Failure to limit the locations to which third parties could upload unknown files
- Failure to prevent one client from accessing another client’s data
- Failure to implement safeguards to detect cybersecurity events, including:
- a detection system to alert the company of unauthorized access to its network;
- integrity monitoring tools to determine whether files are altered; and
- a data loss prevention tool to monitor unauthorized attempts to exfiltrate personal information
- Failure to encrypt Social Security numbers, payment card information, bank account information and authentication credentials such as user IDs and passwords
Regarding third-party assessors, the FTC required:
- The assessment must be provided by an independent third-party professional who uses procedures generally accepted in the profession.
- The assessor must retain all documents relevant to each assessment for five years.
- The assessor must provide relevant documents to the FTC and cannot withhold them on the basis of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege or statutory exemption.
Regarding the assessment, the FTC required:
- The assessment must cover an initial assessment and each two-year period thereafter for 20 years after issuance of the order.
- The assessment must identify gaps in the Information Security Program and adjust accordingly.
- The assessment must identify specific evidence, including which documents were reviewed, the sampling and testing performed and describe the interviews conducted.
- The assessment must explain why the evidence the assessor examined justifies the assessor’s findings.
A senior corporate manager must certify the following annually:
- The company has implemented and maintained the provisions of the enforcement order.
- The company is unaware of any material noncompliance that has not been corrected or disclosed to the FTC.
The certification must:
- include a brief description of certain unauthorized access
- be based on personal knowledge or upon a subject matter expert on whom the senior manager relies
Companies that handle personal information and are subject to FTC jurisdiction should take a closer look at their information security practices, both on the technical side and on the organizational side (read: documentation) and start formalizing their protections to withstand this closer FTC scrutiny.
A specific look at data retention practices is warranted. This is not the first time the FTC has flagged “failure to delete information after it is no longer needed.” The fact that the FTC is looking at this, together with the fact that data minimization has been included in the new CCPA ballot initiative and a number of privacy bills, may signal a trend in enforcement.
Ciera Logan is an attorney in Fox Rothschild’s Privacy & Data Security Practice Group. For assistance with a full range of state, federal and international privacy and data security compliance issues, contact Ciera at 609.572.2236 or [email protected].