Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

10 Lessons from FTC Guidance on Data Security

By Marc S. Roth
April 01, 2016

“Not if, but when.” These simple words are enough to keep privacy officers, corporate counsel, compliance officers and IT managers up at night when faced with the reality that their network will at some point be breached. This is no surprise given the spate of corporate breaches and unauthorized network intrusions reported in recent years, as well as the costs, reputational harm and investigations and lawsuits that follow in their wake. While there are no silver bullets to stop breaches from occurring, understanding and following legal actions brought by regulatory agencies and heeding security guidance they issue can go a long way in preventing security lapses and unauthorized attacks.

There is no omnibus federal law that prescribes the level of security that companies must use to protect consumer information. Instead, Congress has identified certain categories of sensitive data that warrant regulation, such as health and financial information, and online information collected from children under 13, resulting in the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLB Act), the Fair Credit Reporting Act (FRCA), and the Children's Online Privacy Protection Act (COPPA), respectively.

Each of the above laws (and their implementing regulations) to some extent dictate specific data security standards for companies that possess consumer information in these industries. But for the vast number of companies that do not fall within these categories, knowing what standards they are expected to employ to protect consumer information remains an elusive task. Notwithstanding this void, companies that fail to develop a comprehensive data security plan and implement at least some level of minimum security measures to protect consumer information remain vulnerable to attacks, lawsuits and regulatory investigations.

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Anti-Assignment Override Provisions Image

UCC Sections 9406(d) and 9408(a) are one of the most powerful, yet least understood, sections of the Uniform Commercial Code. On their face, they appear to override anti-assignment provisions in agreements that would limit the grant of a security interest. But do these sections really work?