July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

New Trends Emerge in FTC Data Security Orders, Including Emphasis on C-Suite Involvement

The FTC recently summarized three major changes it made to its orders in data security cases. In a blog signaling these changes, the FTC Indicated that some of the things it has been requiring of companies in 2019 are here to stay.

First, the orders have been – and will continue to be – more specific about the expectations for implementing a comprehensive data security program. Historically, orders had generally required companies to implement an information security program with reasonable safeguards to control the risks identified through a risk assessment. In more recent cases, the FTC has itemized the specific controls it expects the data security program to include. For example, training all employees at least every 12 months and encrypting certain information. Also, using access controls such as authentication and restricting connections to approved IP address.

Second, the FTC plans to hold third-party assessors that review company’s security programs more accountable. Assessors may now be expected to identify the evidence supporting their conclusions. This may include employee interviews. The FTC also plans to approve and review assessors every two years.

Finally, senior officers may be expected to provide annual certifications of compliance to the FTC as part of the order. The certification will require the senior officer to confirm that the requirements of the order have been implemented and that there’s no material instance of noncompliance.

Putting it Into Practice: Companies should be mindful of these trends when putting together 2020 strategic priorities for cybersecurity efforts. Namely, organizations should make sure training efforts can withstand the test of interviews of employees. Also, senior officers must have a meaningful understanding of a company’s information security program.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 15


About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...