The status of consumer data security law in the United States is at a crossroads. Last week, the White House released a discussion draft of its Consumer Privacy Bill of Rights Act of 2015, which would require businesses collecting personal information to maintain safeguards reasonably designed to ensure the security of that information. And yesterday, the Third Circuit held oral argument in FTC v. Wyndham Worldwide Corp., in which the district court last April denied Wyndham’s challenge to the Federal Trade Commission’s data security enforcement efforts.
In the absence of an overarching data security framework or clear statutory authority, the primary cop on the consumer data security beat has been the FTC. Since 2002, the FTC has brought and settled over 50 enforcement actions against businesses for allegedly maintaining insufficient data security practices, primarily under its authority to regulate “unfair or deceptive acts or practices in or affecting commerce” under Section 5 of the FTC Act. Some states have contributed to the enforcement landscape under so-called “Little FTC Acts,” which grant them parallel and coextensive authority, as well as a few state laws that provide more granular cybersecurity requirements, such as Massachusetts. But none has been as active, or has broken as much new ground, as the FTC.
Due to the broad authority the FTC claims to regulate data security, and its uncertain and incremental enforcement approach of regulation-by-settlement, it is not always clear to businesses what security measures they need to implement to avoid violating the law. This particularly is the case with respect to technical security measures used to secure remotely accessible networks and databases, where technology changes frequently and network compromises are common, if not expected, in some circumstances.
In the context of this lack of clarity, last year I published an article in the Journal of Internet Law, The Law of Securing Data on Networked Computers, that examined the FTC’s complaints and informal guidance to clarify what technical data security measures the Commission believes that companies are legally required to apply under Section 5 of the FTC Act to consumer data stored on Internet-connected or other network computers. The article groups these technical security measures, which form the de facto legal standard followed by the FTC and many state regulators, into four general categories:
- Testing and monitoring for reasonably foreseeable vulnerabilities and threats, such as code review, anti-malware, filtering outbound traffic, and monitoring of activity logs.
- Network architecture requirements, including network perimeter controls, segregation of networks, and limiting the connection of external computers or devices.
- Use of encryption, when sensitive consumer data is in transit over public or wireless networks, and when it is at rest.
- Access control and authentication, such as requiring proper user authentication before providing access to data, user credentialing procedures, and password requirements.
The article also suggests steps that businesses can take to mitigate the risk of a regulatory data security action, a breach notification requirement, or a lawsuit.
For a copy of The Law of Securing Consumer Data on Networked Computers, click here.