Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsThe FTC Summarizes Changes to Its Data Security Orders
In a January 6, 2020 blog post, Andrew Smith, the Director of FTC Bureau of Consumer Protection, summarized three major changes introduced in the FTC data security orders in 2019.
Since the early 2000s, the FTC’s data security orders have typically required a company to implement a comprehensive information security program subject to biennial outside assessment. Following the 11th Circuit’s 2018 LabMD decision which struck down an FTC data security order as vague and unenforceable, the FTC made the following improvements as reflected in seven different orders announced in 2019:
First, the orders are now more specific. Whereas the orders continue to require that a company implement a comprehensive and process-based data security program, they now require the company to implement specific safeguards to address problems outlined in the complaint, such as annual employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.
Second, the orders increase third-party assessor accountability. The new orders give the FTC authority to approve and reapprove assessors every two years. Furthermore, the orders clearly and specifically require third-party assessors to identify evidence in support of their conclusions, including independent sampling, employee interviews, and document review. The assessors are required to retain documentation related to assessments and cannot refuse to provide documents on the basis of certain privileges.
Third, the orders elevate data security considerations to the C-Suite and Board level. Under the new orders, companies are required to present their Boards with their written information security programs and senior officers must now provide annual certifications of compliance to the FTC.
The new requirements in the FTC orders highlight the importance for organizations to prioritize data security and develop and implement robust privacy and data security programs that establish strong accountability at all organizational level, including the C-Suite and the Board. A proactive and diligent approach to data security will go a long way towards minimizing and managing organizations’ security and regulatory risks.
Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653
