by Andrew R. Brownstein, Steven A. Rosenblum, John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

In a blog post published this week, the Director of the FTC’s Consumer Protection Bureau detailed recent changes to the FTC’s baseline approach to remedial orders in data breach enforcement actions.  The changes were spurred in part by a 2018 Court of Appeals decision (PDF: 125 KB) that found an FTC order’s requirement that a company implement “reasonable” data security measures to have been too vague to be enforceable.  The FTC has reworked its routine enforcement practice to ensure that remedial data security orders include significantly greater specificity about compliance expectations for companies subject to enforcement action and for third-party assessors engaged to conduct FTC-mandated monitoring and audits of targeted companies’ data security practices.

As evidenced by common elements of the data security orders issued by the FTC over the last year, including its headline action against Facebook (PDF: 145 KB), the blog post notes that a core element of the FTC’s model for remedial orders is the requirement that senior management, on at least an annual basis, present the company’s written information security program to the board for oversight and review and that management also certify to the FTC the company’s compliance with data security obligations.  This FTC enforcement practice reflects a growing consensus about the roles and responsibilities of management and boards for the adequacy of enterprise programs to identify, evaluate, and manage data and information security risks.

The endorsement by the FTC of data security-related corporate governance approaches, safeguards, and third-party monitoring methods may also be expected to inform the enforcement expectations of other regulators responsible for administering state, federal, or foreign data security compliance and breach notification regulations.  We continue to recommend that boards integrate regular evaluation of cyber preparedness and incident response plans into strategic risk oversight functions (PDF: 167 KB).

Andrew R. Brownstein, Steven A. Rosenblum, and John F. Savarese are partners, Marshall L. Miller is of counsel, and Jeohn Salone Favors is an associate at Wachtell, Lipton, Rosen & Katz.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.