Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FTC notes data security order improvements

Agency Rule-Making & Guidance FTC Consumer Protection Privacy/Cyber Risk & Data Security

Agency Rule-Making & Guidance

On January 7, the Director of the FTC’s Bureau of Consumer Protection noted that the Commission has made “three major changes” in its data security orders to “improve data security practices and provide greater deterrence” by focusing on specificity, accountability, and responsibility. The first change increases the specificity of data security orders to “make the FTC’s expectations clearer” and “improve order enforceability.” The second change increases the accountability of the third-party assessors who review the comprehensive data security programs that the orders exact, by requiring assessors to include specific evidence for each determination and to accommodate requests from the FTC to review the assessments. The third change emphasizes executive responsibility. Yearly, companies will be required to present their data security programs to board and senior company executives who must certify the company’s compliance to the FTC. The announcement also pointed to a number of 2019 orders to demonstrate the “significant improvements” the agency has made with the three changes.