Data Security

Welcome back. Part 1 was an overview of recent Federal Trade Commission (FTC) data security enforcement actions. This Part 2 is intended to help businesses operating outside regulated industries figure out how to interpret the "reasonable" standard in U.S. state data security enforcement and laws.

Like the FTC, state attorneys general, using their enforcement power under their states' "mini FTC Acts" (aka consumer protection laws) have initiated enforcement actions against businesses for unfair and/or deceptive data security practices—often together with other states (e.g., Equifax Inc., Dunkin Brands, Inc., Uber Technologies). Unlike the FTC, however, state attorneys general also enforce data security laws in their respective states. In this Part 2, we review recent state enforcement actions against businesses with 'unreasonable' data security and also the minimum requirements in key state data security laws requiring reasonable security.

Recent judgments from state attorneys general include many of the same requirements as the FTC enforcement described in Part 1: risk assessments, testing and monitoring, accountability, employee training and vendor management. Nonetheless, these judgments, which generally reflect the deficiencies of the subject businesses, are helpful for understanding state regulators' expectations. For example:

Risk assessments: In respective settlements with state attorneys general, Equifax and Orbitz must engage an independent third party to conduct at least annual risk assessments. Uber and Bombas must use a third party who/that is a CISSP, CISA or similarly qualified, with 5+ years of risk assessment experience.

Testing and monitoring: Equifax's testing program must include ranking the criticality of identified vulnerabilities in alignment with an industry-standard framework and remediation planning for critical issues within 24 hours and application of the remediation within one week. In a September 2019 complaint, the New York Attorney General alleges that Dunkin Donuts repeatedly failed to monitor and remediate deficiencies after a third-party developer reported repeated security breaches.

Accountability: Equifax (Indiana) and Orbitz are required to not only hire a senior executive responsible for data security but also ensure that the executive receives necessary resources and provides quarterly Board reports.

Training: Uber must deploy ongoing training for employees and contractors, together with disciplinary measures (including termination) for violations. Equifax must provide specialized training for all security personnel on personal information protection and the terms of the settlement prior to starting their responsibilities.

Vendor management: Equifax must contractually require vendors to notify Equifax within 72 hours after discovering a security incident.

Like the FTC's specific security controls (see Part 1), the New York Attorney General in its Letter Agreement with Zoom Video Communications, Inc. requires encryption of all personal information at rest and in transit; security protocols upgraded "as industry standards evolve"; procedures to address credential stuffing attacks; and a program to discover and fix vulnerabilities. These types of specific security controls also are reflected in other state settlements (e.g., Orbitz).

Since the FTC and state enforcement contain similar data security requirements, any business not implementing any of these controls should consider documenting the decision-making process as a defensive measure. Businesses operating in certain states may not have as much flexibility in structuring their data security programs.

Specifically, New York's Stop Hacks and Improve Electronic Data Security Act, effective March 2020, and Massachusetts' 2007 data security law include a "reasonable" data security requirement but also incorporate specific requirements, making them the two strictest state general data security laws.

The New York and Massachusetts laws include the now-familiar (see Part 1) risk assessment, testing and monitoring, accountability, training and vendor management requirements. Massachusetts' 2010 data security regulations also add specific "computer system security" requirements, the implementation of which are qualified by "to the extent technically feasible". These requirements are (inter alia): secure user authentication protocols; secure access controls (e.g., least-privilege/need-to-know); encryption of personal information that travels across a public network, is transmitted wirelessly or is stored on laptops or other portable devices; up-to-date firewall protection and operating system security patches; and reasonably up-to-date versions of system security agent software (e.g., malware protection and reasonably up-to-date patches and virus definitions).

The Massachusetts and New York laws are especially helpful when compared to the California Consumer Privacy Act of 2018 (CCPA). CCPA offers California residents a private right of action if a data breach results from a covered business' failure to implement reasonable security practices. To date, a 2016 report in which the former California Attorney General states her support for the CIS Controls offers the best clue about the meaning of "reasonable" for CCPA purposes. (The reasonable standard in these various state data security laws may feel familiar to attorneys because of its similarity to the common-law negligence standard, e.g., Dittman v. UPMC, Portier v. NEO Tech. Sols.)

Ohio takes a different but still helpful approach in its data security law. Ohio's data security law offers an affirmative defense to a tort claim that failure to "implement reasonable information security controls" results in a data breach but only if the defendant can demonstrate that it "reasonably conforms" to one of the enumerated "industry recognized" cybersecurity frameworks: NIST, FEDRAMP, ISO 27001, PCI-DSS and CIS Controls.

Generally, industry data security standards—such as those cited in the Ohio law—rely on the same key principles described above and in Part 1 but with more specificity. Accordingly, choosing to adhere to a recognized industry standard is a useful means for benchmarking a defensible data security program. Complying and demonstrating ongoing compliance with industry standards is, however, resource-intensive and expensive and, therefore, not immediately achievable for many businesses.

State data security laws are flexible enough to accommodate varying business needs, resources and risk tolerance, but businesses looking for definitive guidance on what constitutes legally-required data security practices may find the flexibility frustrating. We hope that the key components discussed above and in Part 1, together with close attention to ongoing federal and state enforcement, can go a long way in helping businesses construct a reasonable data security program, appropriate to a business' particular needs and available resources.

Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy and cybersecurity compliance. Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters. Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc.