Be Reasonable: Recent FTC Enforcement Orders on Data Security
Proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? The FTC's key data-security-related enforcement can help guide businesses in developing their data security programs.
June 24, 2020 at 07:00 AM
7 minute read
Amid the nation-wide "work from home" routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications' video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom's data security practices, which in turn produced a flurry of class action lawsuits against Zoom for "violation of its duty to implement and maintain reasonable security procedures and practices." Like many technology providers, Zoom's Terms of Service stated that Zoom will "maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards."
The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act Security Rule, Vermont's Securities Regulations Cybersecurity Procedures and South Carolina's Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions.
Getting to reasonable data security is particularly vexing for technology vendors that, like Zoom, are required by law (e.g., General Data Protection Regulation and California Consumer Privacy Act of 2018) to contractually promise that their products protect customers' personal data and confidential business information with reasonable data security.
For businesses subject to the authority of Federal Trade Commission (FTC), data security-related enforcement actions and guidance are the primary sources for clarifying the reasonable data security requirement. The FTC's public archives show more than 80 data security-related actions in the past 20 years. In 2015, the FTC distilled 10 data security principles from 50 of its data security enforcement actions into Start with Security: A Guide for Business and later supplemented these principles with the 2017 Stick with Security: A Business Blog Series.
Despite this relatively long history of data security activity, the FTC is criticized for insufficiently clear guidance about what reasonable data security means, including by the 11th Circuit, which vacated a 2016 FTC data security mandating "a complete overhaul of LabMD's data-security program" because it offered "precious little about how this is to be accomplished." Perhaps in response to the 11th Circuit's LabMD decision, in a January 6, 2020 blog post, the FTC touted "significant improvements" in its 2019 data security orders.
Following this cue from the FTC's blog, we analyze the FTC's key data-security-related enforcement during 2019 and 2020 enforcement (to date) for common data security requirements that can help guide businesses in developing their data security programs. The FTC's 2019-2020 enforcement actions include the FTC's same basic data-security-related recommendations from the 2015-2017 guidance but also elaborate with timing and other details:
Risks Assessment: A business must continually assess internal and external risks to the security, confidentiality and integrity of personal information. In its 2019 i-Dressup order, the FTC emphasizes risk assessments annually and within 30 days following data security-related events, together with security program updates to reflect the risk assessments.
Testing and Monitoring. A business must monitor and test data security safeguards to ensure their effectiveness. The FTC called out businesses for failing to use "readily available" tools for monitoring, access control, patching and encryption. (Relatedly, in its June 2020 cloud security guidance, the FTC advises business to "take advantage of the security features offered by cloud service companies.") In the May 2020 Final Order involving smart-lock maker Tapplock, the FTC requires network vulnerability testing every four months and annual network penetration testing with test repeats within 30 days after a data security–related event.
Accountability: A business must assign responsibility for the data security program and ensure adequate oversight. In the May 2020 Tapplock Final Order, the FTC clarified that a "qualified" employee must oversee the data security program and deliver a written status report to the board and management "at least once every twelve months" and "promptly" after a data security–related event.
Training: Since human error is a common source of data breaches, a business must train employees in both the threats identified in data security risk assessments and the safeguards intended to address those threats. In 2019 enforcement orders, the FTC specified annual employee data security training and, for personnel involved with software development, biennial security training.
Vendor Management: A business must not only select vendors capable of safeguarding data but also contractually obligate those vendors to maintain the safeguards but also verify their compliance with the contractual requirements. In the June 2020 cloud security guidance, the FTC reminds businesses that, even when outsourcing, "if it's your data, it's ultimately your responsibility."
In the 2019-2020 enforcement orders and again in its June 2020 cloud security guidance, the FTC emphasizes certain specific data security controls:
- Encryption of sensitive personal information stored on a business' network;
- Network segmentation to separate sensitive information;
- Data access controls for personal information, including strong passwords and authentication, restricting inbound connections to approved IP addresses, limiting employees' access to the data they need to perform their job functions, deploying data loss prevention tools and inventorying devices connected to the business' network and ensuring the devices are securely installed; and
- Tools for detecting unknown file uploads, limiting the locations to which third parties can upload files on business' network and monitoring network file integrity.
While the requirements in the FTC orders often reflect specific data security failures of the subject business, they also offer FTC-regulated businesses some benchmarks against which to evaluate their data security programs. Of course, determining the best way to implement the FTC's various data security requirements depends on industry, technology, financial and personnel resources and the quantity and sensitivity of the information.
A second installment will analyze recent changes in state laws and enforcement actions and the role of industry standards.
Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy, cybersecurity and marketing law compliance.
Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters.
Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc. S&P is a client of Arent Fox.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250