Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Lessons Learned from Recent FTC Data Security Enforcement Orders
Amid the nation-wide "work from home" routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications' video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom's data security practices, which in turn produced a flurry of class action lawsuits against Zoom for "violation of its duty to implement and maintain reasonable security procedures and practices." Like many technology providers, Zoom's Terms of Service (update as of April 13, 2020) stated that Zoom will "maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards."
The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act (HIPAA), Vermont's Securities Regulations Cybersecurity Procedures and South Carolina's Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions.
Getting to reasonable data security is particularly vexing for technology vendors that, like Zoom, are required by law (e.g., the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA)) to contractually promise that their products protect customers' personal data and confidential business information with reasonable data security.
For businesses subject to the authority of Federal Trade Commission (FTC), data security-related enforcement actions and guidance are the primary sources for clarifying the reasonable data security requirement. The FTC's public archives show more than 80 data security-related actions in the past 20 years. In 2015, the FTC distilled 10 data security principles from 50 of its data security enforcement actions into Start with Security: A Guide for Business and later supplemented these principles with the 2017 Stick with Security: A Business Blog Series.
Despite this relatively long history of data security activity, the FTC is criticized for insufficiently clear guidance about what reasonable data security means, including by the 11th Circuit, which vacated a 2016 FTC data security mandating "a complete overhaul of LabMD's data-security program" because it offered "precious little about how this is to be accomplished." Perhaps in response to the 11th Circuit's LabMD decision, in a Jan. 6, 2020 blog post, the FTC touted "significant improvements" in its 2019 data security orders.
Following this cue from the FTC's blog, we analyze the FTC's key data-security-related enforcement during 2019 and 2020 enforcement (to date) for common data security requirements that can help guide businesses in developing their data security programs. The FTC's 2019-2020 enforcement actions include the FTC's same basic data-security-related recommendations from the 2015-2017 guidance but also elaborate with timing and other details:
- Risks Assessment: A business must continually assess internal and external risks to the security, confidentiality and integrity of personal information. In its 2019 i-Dressup order, the FTC emphasizes risk assessments annually and within 30 days following data security-related events, together with security program updates to reflect the risk assessments.
- Testing and Monitoring. A business must monitor and test data security safeguards to ensure their effectiveness. The FTC called out businesses for failing to use "readily available" tools for monitoring, access control, patching and encryption. (Relatedly, in its June 2020 cloud security guidance, the FTC advises business to "take advantage of the security features offered by cloud service companies.") In the May 2020 Final Order involving smart-lock maker Tapplock, the FTC requires network vulnerability testing every four months and annual network penetration testing with test repeats within 30 days after a data security-related event.
- Accountability: A business must assign responsibility for the data security program and ensure adequate oversight. In the May 2020 Tapplock Final Order, the FTC clarified that a "qualified" employee must oversee the data security program and deliver a written status report to the board and management "at least once every twelve months" and "promptly" after a data security-related event.
- Training: Since human error is a common source of data breaches (see, Verizon's Data 2020 Breach Investigations Report), a business must train employees in both the threats identified in data security risk assessments and the safeguards intended to address those threats. In 2019 enforcement orders, the FTC specified annual employee data security training and, for personnel involved with software development, biennial security training.
- Vendor Management: A business must not only select vendors capable of safeguarding data but also contractually obligate those vendors to maintain the safeguards but also verify their compliance with the contractual requirements. In the June 2020 cloud security guidance, the FTC reminds businesses that, even when outsourcing, "if it's your data, it's ultimately your responsibility."
In the 2019-2020 enforcement orders and again in its June 2020 cloud security guidance, the FTC emphasizes certain specific data security controls:
- Encryption of sensitive personal information stored on a business' network;
- Network segmentation to separate sensitive information;
- Data access controls for personal information, including strong passwords and authentication, restricting inbound connections to approved IP addresses, limiting employees' access to the data they need to perform their job functions, deploying data loss prevention tools and inventorying devices connected to the business' network and ensuring the devices are securely installed; and
- Tools for detecting unknown file uploads, limiting the locations to which third parties can upload files on business' network and monitoring network file integrity.
While the requirements in the FTC orders often reflect specific data security failures of the subject business, they also offer FTC-regulated businesses some benchmarks against which to evaluate their data security programs. Of course, determining the best way to implement the FTC's various data security requirements depends on industry, technology, financial and personnel resources and the quantity and sensitivity of the information.
*****
Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy, cybersecurity and marketing law compliance. Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters. Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc. S&P is a client of Arent Fox.
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
How Secure Is the AI System Your Law Firm Is Using?
In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
COVID-19 and Lease Negotiations: Early Termination Provisions
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.
Authentic Communications Today Increase Success for Value-Driven Clients
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.