Companies that have experienced data breaches or security hacks have subsequently found themselves the subject of enforcement actions by the Federal Trade Commission (“FTC”) for violating the FTC Act, due to inadequate protections and provisions that should have been in place. Recently, businesses have challenged the FTC’s ability to go after companies for such violations in the absence of clear guidelines on what the agency legally considers reasonable data practices. In response, acting Chair Maureen Ohlhausen promised that the FTC would be more transparent about its standards, and on July 21, 2017, the FTC announced a new initiative called “Stick with Security.”
“Stick with Security” is a business blog that distills the lessons learned from FTC data security cases into 10 principles that companies can start implementing, not only to protect themselves from present and future threats, but also to be in compliance with the FTC act.
The first blog draws upon information the FTC released two years ago in Start with Security: A Guide For Business and focuses on reoccurring themes in cases where the FTC’s breach investigations were ultimately closed with no enforcement action taken.
There’s More (or Less) to the Story Than Meets the Eye
Breach investigations are frequently closed in situations where the FTC has been made aware of new information, following the initial report of a data breach, that negates or severely reduces the threat as first reported. For example, the FTC closed an investigation after finding out that a company’s data is encrypted, thus, substantially reducing the risk of consumer injury.
Proceeding Further Wouldn’t be a Good Use of the FTC’s Resources
Breach investigations are frequently closed in situations where the FTC decides that continuing an investigation is not in the public interest. For example, the FTC closed an investigation where a breach occurred, but it happened to a small business that may have only collected negligible amounts of non-sensitive information.
The FTC is Not the Right Agency
Breach investigations are frequently closed in situations where other agencies with related missions would be better suited to deal with data security matters, such as the Department of Justice, the Department of Health and Human Services, the Consumer Financial Protection Bureau, the Federal Communications Commission, and the National Highway Traffic Safety Administration.
The Risk to Data is Theoretical
Breach investigations are frequently closed in situations where researchers bring practices creating vulnerabilities to the FTC’s attention, but the risk being exploited is theoretical. For example, the FTC closed an investigation in a situation where vulnerability in a mobile device could technically be exploited, but the data would only be compromised if the hacker had physical possession of the phone.
In the coming days, we will be summarizing the already released “Stick with Security” principles, and then will be blogging about additional principles as they are published by the FTC. Stay tuned!