The Federal Trade Commission (FTC) boasts an impressive 70% closure rate for its data breach investigations, according to a keynote address delivered by FTC Commissioner Maureen Ohlhausen for a panel, Federal Online Data Security Regulation: Where Are We Going?
In the keynote address, FTC Commissioner Ohlhausen shares that the FTC does not formally investigate every breach, “as that would be hundreds of cases each year.” But they do close approximately 70% of those investigations they do pursue. In this case, “closing” could mean that the FTC investigation has deemed the company’s security either “reasonable” or “good.” The FTC has settled almost 60 cases involving data security issues, most under Section 5 of the Federal Trade Commission Act, which prohibits deceptive acts or practices, a guideline which gives the FTC authority to pursue data security standards.
In 2015, the Third Circuit court re-affirmed the FTC authority to enforce the data security standards of commercial entities. The FTC announced landmark settlements at the end of 2015, re-enforcing their mandate to step up security enforcement. The significant actions of 2015 also act to discourage others from mounting a significant legal challenge to the FTC’s authority, which may result in data security investigations settling earlier in the proceedings.
As the keynote address highlights, the key is “reasonableness” in data security measures. Data breaches do happen, even for the most well-prepared organizations, but measures should be in place to counter the risks faced by each organization. As Commissioner Ohlhausen stated, the FTC is still determining its own definitions of “reasonableness," as dissent does exist within the FTC, as evidenced by the LifeLock settlement, which determined that PCI-DSS certification was not adequate.
In order to avoid the censure of regulators such as the FTC, organizations must make a clear case that proper safeguards were in place. Organizations should adopt a depth-of-defense or layered approach, which encompasses education, policy and technologies to protect data from a wide variety of risk points. Absolute customers rely on us to provide them with a unique and trusted layer of security so they can maintain visibility and control over their endpoints and the data they contain. Learn more at Absolute.com