Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Lessons Learned from Recent FTC Data Security Enforcement Orders

By Julia B. Jacobson, Natalia J. Kerr and Courtney K. Stout
July 01, 2020

Amid the nation-wide "work from home" routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications' video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom's data security practices, which in turn produced a flurry of class action lawsuits against Zoom for "violation of its duty to implement and maintain reasonable security procedures and practices." Like many technology providers, Zoom's Terms of Service (update as of April 13, 2020) stated that Zoom will "maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards."

The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act (HIPAA), Vermont's Securities Regulations Cybersecurity Procedures and South Carolina's Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions.

Getting to reasonable data security is particularly vexing for technology vendors that, like Zoom, are required by law (e.g., the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA)) to contractually promise that their products protect customers' personal data and confidential business information with reasonable data security.

For businesses subject to the authority of Federal Trade Commission (FTC), data security-related enforcement actions and guidance are the primary sources for clarifying the reasonable data security requirement. The FTC's public archives show more than 80 data security-related actions in the past 20 years. In 2015, the FTC distilled 10 data security principles from 50 of its data security enforcement actions into Start with Security: A Guide for Business and later supplemented these principles with the 2017 Stick with Security: A Business Blog Series.

Despite this relatively long history of data security activity, the FTC is criticized for insufficiently clear guidance about what reasonable data security means, including by the 11th Circuit, which vacated a 2016 FTC data security mandating "a complete overhaul of LabMD's data-security program" because it offered "precious little about how this is to be accomplished." Perhaps in response to the 11th Circuit's LabMD decision, in a Jan. 6, 2020 blog post, the FTC touted "significant improvements" in its 2019 data security orders.

Following this cue from the FTC's blog, we analyze the FTC's key data-security-related enforcement during 2019 and 2020 enforcement (to date) for common data security requirements that can help guide businesses in developing their data security programs. The FTC's 2019-2020 enforcement actions include the FTC's same basic data-security-related recommendations from the 2015-2017 guidance but also elaborate with timing and other details:

  • Risks Assessment: A business must continually assess internal and external risks to the security, confidentiality and integrity of personal information. In its 2019 i-Dressup order, the FTC emphasizes risk assessments annually and within 30 days following data security-related events, together with security program updates to reflect the risk assessments.
  • Testing and Monitoring. A business must monitor and test data security safeguards to ensure their effectiveness. The FTC called out businesses for failing to use "readily available" tools for monitoring, access control, patching and encryption. (Relatedly, in its June 2020 cloud security guidance, the FTC advises business to "take advantage of the security features offered by cloud service companies.") In the May 2020 Final Order involving smart-lock maker Tapplock, the FTC requires network vulnerability testing every four months and annual network penetration testing with test repeats within 30 days after a data security-related event.
  • Accountability: A business must assign responsibility for the data security program and ensure adequate oversight. In the May 2020 Tapplock Final Order, the FTC clarified that a "qualified" employee must oversee the data security program and deliver a written status report to the board and management "at least once every twelve months" and "promptly" after a data security-related event.
  • Training: Since human error is a common source of data breaches (see, Verizon's Data 2020 Breach Investigations Report), a business must train employees in both the threats identified in data security risk assessments and the safeguards intended to address those threats. In 2019 enforcement orders, the FTC specified annual employee data security training and, for personnel involved with software development, biennial security training.
  • Vendor Management: A business must not only select vendors capable of safeguarding data but also contractually obligate those vendors to maintain the safeguards but also verify their compliance with the contractual requirements. In the June 2020 cloud security guidance, the FTC reminds businesses that, even when outsourcing, "if it's your data, it's ultimately your responsibility."

In the 2019-2020 enforcement orders and again in its June 2020 cloud security guidance, the FTC emphasizes certain specific data security controls:

While the requirements in the FTC orders often reflect specific data security failures of the subject business, they also offer FTC-regulated businesses some benchmarks against which to evaluate their data security programs. Of course, determining the best way to implement the FTC's various data security requirements depends on industry, technology, financial and personnel resources and the quantity and sensitivity of the information.

*****

Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy, cybersecurity and marketing law compliance. Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters. Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc. S&P is a client of Arent Fox.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.