FTC Announces Improved Data Security Orders with Greater Specificity and Accountability
The FTC recently announced its intention to continue strengthening the orders it issues in data security enforcement cases, adding to other changes it has undertaken over the last several years to guide companies toward improved data security and provide greater deterrence against illegal practices.
The three areas of improvement undertaken by the FTC for its orders are as follows: (i) require implementation of comprehensive, process-based information security programs with greater specificity aimed at addressing defects identified in the FTC’s investigations/complaints, thus improving enforceability; (ii) increase third-party data security assessment accountability and the rigorousness of assessment standards; and (iii) elevate data security considerations to require senior management and company boards to receive written information security program details and make annual compliance certifications to the FTC.