Be Reasonable: Recent FTC Enforcement Orders on Data Security

Amid the nation-wide "work from home" routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications' video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom's data security practices, which in turn produced a flurry of class action lawsuits against Zoom for "violation of its duty to implement and maintain reasonable security procedures and practices." Like many technology providers, Zoom's Terms of Service stated that Zoom will "maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards." 

The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act Security Rule, Vermont's Securities Regulations Cybersecurity Procedures and South Carolina's Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions. 

Getting to reasonable data security is particularly vexing for technology vendors that, like Zoom, are required by law (e.g., General Data Protection Regulation and California Consumer Privacy Act of 2018) to contractually promise that their products protect customers' personal data and confidential business information with reasonable data security. 

For businesses subject to the authority of Federal Trade Commission (FTC), data security-related enforcement actions and guidance are the primary sources for clarifying the reasonable data security requirement. The FTC's public archives show more than 80 data security-related actions in the past 20 years. In 2015, the FTC distilled 10 data security principles from 50 of its data security enforcement actions into Start with Security: A Guide for Business and later supplemented these principles with the 2017 Stick with Security: A Business Blog Series.

Despite this relatively long history of data security activity, the FTC is criticized for insufficiently clear guidance about what reasonable data security means, including by the 11th Circuit, which vacated a 2016 FTC data security mandating "a complete overhaul of LabMD's data-security program" because it offered "precious little about how this is to be accomplished." Perhaps in response to the 11th Circuit's LabMD decision, in a January 6, 2020 blog post, the FTC touted "significant improvements" in its 2019 data security orders.

Following this cue from the FTC's blog, we analyze the FTC's key data-security-related enforcement during 2019 and 2020 enforcement (to date) for common data security requirements that can help guide businesses in developing their data security programs. The FTC's 2019-2020 enforcement actions include the FTC's same basic data-security-related recommendations from the 2015-2017 guidance but also elaborate with timing and other details:

Risks Assessment: A business must continually assess internal and external risks to the security, confidentiality and integrity of personal information. In its 2019 i-Dressup order, the FTC emphasizes risk assessments annually and within 30 days following data security-related events, together with security program updates to reflect the risk assessments. 

Testing and Monitoring. A business must monitor and test data security safeguards to ensure their effectiveness. The FTC called out businesses for failing to use "readily available" tools for monitoring, access control, patching and encryption. (Relatedly, in its June 2020 cloud security guidance, the FTC advises business to "take advantage of the security features offered by cloud service companies.") In the May 2020 Final Order involving smart-lock maker Tapplock, the FTC requires network vulnerability testing every four months and annual network penetration testing with test repeats within 30 days after a data security–related event.

Accountability: A business must assign responsibility for the data security program and ensure adequate oversight. In the May 2020 Tapplock Final Order, the FTC clarified that a "qualified" employee must oversee the data security program and deliver a written status report to the board and management "at least once every twelve months" and "promptly" after a data security–related event. 

Training: Since human error is a common source of data breaches, a business must train employees in both the threats identified in data security risk assessments and the safeguards intended to address those threats. In 2019 enforcement orders, the FTC specified annual employee data security training and, for personnel involved with software development, biennial security training. 

Vendor Management: A business must not only select vendors capable of safeguarding data but also contractually obligate those vendors to maintain the safeguards but also verify their compliance with the contractual requirements. In the June 2020 cloud security guidance, the FTC reminds businesses that, even when outsourcing, "if it's your data, it's ultimately your responsibility."

In the 2019-2020 enforcement orders and again in its June 2020 cloud security guidance, the FTC emphasizes certain specific data security controls:

• Encryption of sensitive personal information stored on a business' network;
• Network segmentation to separate sensitive information;
• Data access controls for personal information, including strong passwords and authentication, restricting inbound connections to approved IP addresses, limiting employees' access to the data they need to perform their job functions, deploying data loss prevention tools and inventorying devices connected to the business' network and ensuring the devices are securely installed; and
• Tools for detecting unknown file uploads, limiting the locations to which third parties can upload files on business' network and monitoring network file integrity. 

While the requirements in the FTC orders often reflect specific data security failures of the subject business, they also offer FTC-regulated businesses some benchmarks against which to evaluate their data security programs. Of course, determining the best way to implement the FTC's various data security requirements depends on industry, technology, financial and personnel resources and the quantity and sensitivity of the information.

A second installment will analyze recent changes in state laws and enforcement actions and the role of industry standards.

Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy, cybersecurity and marketing law compliance.

Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters.

Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc. S&P is a client of Arent Fox.