The Federal Trade Commission asserted its data security authority in two recent back-to-back enforcement actions, only a day apart from each other.
First, on July 28, 2016, the FTC approved the final order of its settlement agreement with ASUSTek Computer, Inc., settling charges that critical security flaws in ASUSTek’s routers and cloud services put hundreds of thousands of consumers’ privacy at risk. The settlement requires ASUSTek to implement a comprehensive security program to address security risks and protect information privacy and security. In implementing its security program, ASUSTek is specifically required to designate an employee responsible for the security program; to perform risk assessments to identify internal and external security and privacy risks; to cover training, privacy and security by design, third party security vulnerability reports, intrusion detection, and vulnerability assessments in performing the required risk assessments; to implement safeguards to address any risks identified; to regularly test or monitor safeguards; to implement a vendor management program; and to evaluate and adjust its security program based on testing findings. Moreover, ASUSTek must notify consumers about software updates or other steps that consumers can take to protect themselves from security flaws in ASUSTek products, and is prohibited from misleading consumers about its products’ security. ASUSTek will also be subject to (costly) independent audits on its security program, for the next 20 years.
Second and on the following day, July 29, the FTC issued an order reversing an Administrative Law Judge’s (ALJ) decision that dismissed the FTC’s charges against LabMD, Inc., a medical testing lab company. The FTC based its reversal on the ALJ’s application of the wrong standard for unfairness, concluding instead that LabMD’s data security practices constitute unfair practices and citing LabMD’s lack of basic precautions to protect sensitive information, failure to use an intrusion detection system, neglecting to monitor firewall traffic, failure to provide data security training to employees, and failure to delete any consumer data collected.
What’s the Takeaway?
The FTC has been continuing to ramp up its enforcement activities in the data security arena, notably following the Third Circuit Court of Appeals’ decision in FTC v. Wyndham last year, in which the FTC’s authority to challenge lax data security practices was upheld by the court under the FTC Act’s unfairness prong. Privacy and security requirements are also becoming more and more integrated with each other—as best illustrated by robust regulations that cover both, such as HIPAA here in the United States and the GDPR in the EU—making it unwise for organizations to focus on one area, but not the other. Organizations should therefore ensure that they are paying equal attention to the privacy and security of information, which constitute the twin prongs of data protection.