Recent challenges to the Federal Trade Commission’s (“FTC”) authority to police data security practices have criticized the agency’s failure to provide adequate guidance. In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements. A new series of blog posts, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. While the first two posts do not provide much insight into specific data security practices businesses should take, they do suggest that the FTC sees encryption and employee training as essential parts of a comprehensive data security program.
Building on the data security principles drawn from FTC enforcement actions and articulated more than two years ago in Start with Security: A Guide For Business, the inaugural post addresses the question of whether there any recurring themes of data security investigations closed by the FTC. The answer is general, stating that the practices that led the staff to close investigations largely aligned with the practices recommended in Start with Security: “For example, the companies typically had effective procedures in place to train their staff, keep sensitive information secure, address vulnerabilities and respond quickly to new threats.” These general conclusions do not suggest actual practices that businesses can operationalize. It may be more helpful for the FTC to specify precisely what those companies did to avoid prosecution. For example, should employee training be monthly? Should databases be password protected? Should companies use masking, hashing, or encryption? The blog post does note that the FTC may close an investigation where the risk of harm in the event of a data breach is low because the data was properly encrypted.
In light of the two posts so far, it appears that the Stick with Security series will generally affirm the types of “reasonable” security practices that are by now becoming standard best practices. Indeed, the second post refreshes the baseline “start with security” principle from the FTC’s Start with Security guidance. Companies are reminded (with updated examples): to not collect personal information they don’t need, to hold onto information only as long as there is a legitimate business need, to not use personal information when it is not necessary, to regularly train and remind staff on security standards and practices, and, when feasible, to offer consumers more secure choices.
The FTC promises a new post every Friday over the coming months. The next post, expected on August 4, will focus on the second principle in the Start with Security guide, which is sensibly controlling access to data. While it is encouraging that the FTC is attempting to increase its guidance to businesses, it remains to be seen what new insights a business will actually be able to glean from these efforts.