The Federal Trade Commission (FTC) is making waves in data enforcement circles right now. In this post, we outline some of the latest evidence of FTC’s commitment to a strong data enforcement program and how you can shore up your defences to avoid censure.
At the end of 2015, a ruling against the FTC made it clear that proof of harm may be required for FTC enforcement to stick. But that ruling came at a steep cost, which ultimately cost LabMD its business. Although initially the Administrative Law Judge (ALJ) found the FTC did not meet its burden of proof, the FTC reversed the ALJ’s decision this summer, citing that the action was “likely” to cause harm. By reversing this decision, the FTC is reasserting its authority to enforce “reasonable” data security practices without evidence of harm. LabMD is, as one would expect, appealing the decision. The outcome of this decision, which now rests with the US Court of Appeals, has broad ramifications for organizations.
The FTC recently requested public comment on the Standards for Safeguarding Customer Information (the “Safeguards Rule”) as part of a systematic review of FTC rules and guides. The Safeguards Rule requires that financial institutions have mechanisms in place to secure customer information and applies to affiliates or business associates, under the Gramm-Leach-Bliley Act. This rule gives the FTC authority to regulate data security practices outside of its enforcement provision under Section 5 of the FTC Act.
The FTC is seeking comment on the economic impact and benefits of the rule, and possible conflicts of the Rule and other regulations (state, local or federal), as well as the “effect on the Rule of any technological, economic or other industry changes.” The current Safeguards Rule was designed to be technology-agnostic, requiring implementation of safeguards that address identifiable risks, which change over time.
In an attempt to frame itself as a data security regulator, the FTC recently published an article on the NIST Cybersecurity Framework and the FTC and whether compliance with the former would satisfy the latter. The post outlines the fallacy of such a statement and how the FTC’s enforcement actions align with the Framework’s five Core functions: Identify, Protect, Detect, Respond and Recover. The post highlights that there is no one-size-fits-all approach to cybersecurity. Instead, they underscore the importance of conducting a risk assessment and taking “reasonable” measures in "light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors.”
The post re-iterates that you cannot “comply” with the Framework, but that the Framework and the FTC’s approach are “fully consistent.” The post outlines specific incidents where failures to align with the Framework’s five Core functions have resulted in enforcement cases, whether this was a failure to protect data in transit and at rest, failures in training, or to monitor for potential cybersecurity events.
In order to avoid the censure of regulators such as the FTC, organizations must make a clear case that proper safeguards were in place. Organizations should adopt a depth-of-defense or layered approach, one which encompasses education, policy and technologies to protect data from a wide variety of risk points. Absolute customers rely on us to provide them with a unique and trusted layer of security so they can maintain visibility and control over their endpoints and the data they contain. Learn more at Absolute.com