FTC notes data security order improvements
On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first change increases the specificity of data security orders to “make the FTC’s expectations clearer” and “improve order enforceability.” The second change increases the accountability of the third-party assessors who review the comprehensive data security programs that the orders exact, by requiring assessors to include specific evidence for each determination and to accommodate requests from the FTC to review the assessments. The third change emphasizes executive responsibility. Yearly, companies will be required to present their data security programs to board and senior company executives who must certify the company’s compliance to the FTC. The announcement also pointed to a number of 2019 orders to demonstrate the “significant improvements” the agency has made with the three changes.