The FTC recently summarized three major changes it made to its orders in data security cases. In a blog signaling these changes, the FTC Indicated that some of the things it has been requiring of companies in 2019 are here to stay.
First, the orders have been – and will continue to be – more specific about the expectations for implementing a comprehensive data security program. Historically, orders had generally required companies to implement an information security program with reasonable safeguards to control the risks identified through a risk assessment. In more recent cases, the FTC has itemized the specific controls it expects the data security program to include. For example, training all employees at least every 12 months and encrypting certain information. Also, using access controls such as authentication and restricting connections to approved IP address.
Second, the FTC plans to hold third-party assessors that review company’s security programs more accountable. Assessors may now be expected to identify the evidence supporting their conclusions. This may include employee interviews. The FTC also plans to approve and review assessors every two years.
Finally, senior officers may be expected to provide annual certifications of compliance to the FTC as part of the order. The certification will require the senior officer to confirm that the requirements of the order have been implemented and that there’s no material instance of noncompliance.
Putting it Into Practice: Companies should be mindful of these trends when putting together 2020 strategic priorities for cybersecurity efforts. Namely, organizations should make sure training efforts can withstand the test of interviews of employees. Also, senior officers must have a meaningful understanding of a company’s information security program.