The Federal Trade Commission posted a reminder Monday of its “new and improved” data security orders, which compliance and risk professionals might want to read for its lessons about cybersecurity oversight and compliance generally.
The statement, published on the FTC Business Blog, reviews several changes the FTC made last year to its data security orders. Those orders had been under fire for being too vague — including an appellate court decision in 2018 that struck down a data security order on those grounds — so the agency had promised more detailed “DSOs” going into the future.
Now we have a glimpse into that structure. Andrew Smith, director of the FTC’s Consumer Protection Bureau, outlined three major changes.
First, the requirements in DSOs will be more specific. Rather than serve up bland language about implementing “a comprehensive, process-based data security program,” the orders will specify improvements such as annual employee training, access controls, monitoring systems for cybersecurity incidents, patch management systems, and encryption.
Why get so nitty-gritty? Partly so companies will have a clearer sense of what the FTC wants them to do — but also to “improve order enforceability,” as the FTC phrased it. So room to flimflam your way out of an enforcement action for failing to adhere to a DSO will be diminished.
Second, the orders will require more rigor from third parties assessing your data security. DSOs routinely require an independent assessment of a company’s security program. Now the FTC will require more rigor from those third parties performing the assessments. That will ultimately mean more rigor placed upon your company, as those independent assessors put your data security program through its paces.
More rigor from those third-party assessments should not be a surprise. The poster boy for poor assessments is PwC, which had been auditing Facebook’s privacy program after Facebook’s first FTC settlement in 2012. PwC gave Facebook passing marks as recently as 2018, even as the company confessed to gigantic privacy failures that led to its second, $5 billion settlement last summer. So, yeah.
Third, the orders will push security and compliance into the C-suite. New DSOs will require executives to present their data security to the board every year, and require senior officers to certify compliance to the FTC annually. “This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year,” the FTC statement said.
So — more detailed requirements, with more rigorous independent oversight, and more accountability for data security from senior management.
Data Security, Compliance, and Risk
Of course any company subject to an FTC investigation and likely to receive a data security order should give this statement close attention. Even other companies, however, should consider what the FTC is saying, because its points are a roadmap for good data security management anyway.
For example, more specific DSOs can be a great source of knowledge about which poor security practices will trigger what types of remediation. I randomly looked up “training” in the Equifax data security order from July 2019, and found directives about training specifically for software engineers on “reasonably foreseeable vulnerabilities,” complete with examples.
Yes, compliance officers have been parsing corporate integrity agreements for years to divine clues about good practices to institute at home; but that’s typically been for FCPA or healthcare compliance issues. The FTC’s orders might now provide the same raw material so we can collectively navel-gaze over data security, too.
Ditto for that second point about outside assessments of your data security programs. In a practical sense, now you can better anticipate what those assessments might entail and prepare documentation or in-person reviews accordingly.
But in a larger sense, this point also underlines the need for better assessment of cybersecurity generally — including of the vendors you use in your own business processes. Too many companies are still terrible at that, relying on self-certifications from vendors or not assessing vendor cybersecurity at all.
As to the final point about building more senior management accountability into the orders, that should surprise nobody. Boards themselves are thirsting for more assurance about cybersecurity (it’s always near the top of annual surveys of board concerns), and the FTC knows full well that continued data security failures drive the public nuts.
The warning that compliance officers or CISOs might want to give the C-suite is this: that those annual certifications of data security orders are under oath, which means negligent oversight could expose senior executives to liability. As the FTC itself said:
Requiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.
So that’s what you get these days with an FTC data security order. Astute organizations will invest enough in security and compliance now to get ahead of the problem, instead.