FTC Shines a Little Light on Its Data Security Enforcement


Companies concerned about whether they are meeting data security standards acceptable to the Federal Trade Commission have new help. The FTC has been sharing some lessons learned from its data security investigations that were closed without formal enforcement action.

Even though the commission makes public administrative and federal court resolutions of its data security enforcement actions, investigations that are resolved short of such an action have been largely opaque. Sharing information on the nonpublic resolutions process may help companies, and their legal counsel, better understand what the FTC expects in holding companies to a “reasonable data security” standard.

The FTC “Stick with Security”  blog initiative builds on its “Start with Security” guidance. The posts use hypothetical examples of security best practices to highlight common themes that have emerged from closed data security investigations. 

In the absence of direct data security statutory or regulatory authority, the commission has cited the catch-all prohibition against unfair and deceptive trade practices in Section 5 of the FTC Act to carry out data security compliance actions. Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook Inc. to smaller businesses such as defunct medical testing company LabMD Inc.—have struggled with what level of data security they must provide to convince the nation’s main data security and privacy enforcement agency that their efforts to protect personal data are reasonable.

LabMD has challenged the FTC’s enforcement standard, and the level of harm required for the FTC to act was “front and center” during federal appeals court oral arguments in June. LabMD argued that the FTC shouldn’t be able to base its action on the mere fact that a company suffers a data breach, but should be required to make a showing of consumer harm.

The commission’s latest blogs have addressed securing remote access to networks; applying sound security practices while developing new products; making sure service providers implement reasonable security measures; putting procedures in place to keep security current and address vulnerabilities that may arise; and securing paper, physical media, and devices.

In earlier blogs, the commission discussed FTC investigations; limiting data collection, retention, use, and training staff; restricting access to data and administrative access; using secure passwords and authentication measures; storing sensitive personal information securely and encrypting it during transmission; and segmenting and monitoring network traffic.

Although some of the lessons may seem obvious, privacy and security attorneys have told Bloomberg BNA that it is always helpful to get insight into the FTC’s regulatory expectations and what the commission believes is “reasonable data security.”

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.