In a January 6, 2020 blog post, the Director of the Federal Trade Commission’s Bureau of Consumer Protection reflected on how the FTC has taken action over the past year to strengthen its orders in data security cases. These orders have been a subject of focus for the FTC: in June 2018, the 11th Circuit’s LabMD decision struck down an FTC data security order as unenforceably vague, and the FTC subsequently held a hearing in the course of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century on how it could improve data security orders.

The FTC identified three categories of improvements in its orders: (1) more specificity regarding company requirements; (2) increased third-party assessor accountability; and (3) c-suite and Board obligations. These elements are reflected in seven FTC orders announced in 2019 against companies in a variety of sectors: (1) ClixSense (pay-to-click survey company); (2) i-Dressup (children’s online games); (3) DealerBuilt (car dealer software provider); (4) D-Link (Internet-connected routers and cameras); (5) Equifax (credit bureau); (6) Retina-X (monitoring app); and (7) Infotrax (service provider for multilevel marketers).