While there is no nationwide cybersecurity program, the Federal Trade Commission has brought more than 50 actions claiming that the cybersecurity practices of a variety of companies in a variety of industries. While these actions have primarily been administrative and resulted in settlements, and the specifics of each order apply only to the company affected, these actions are instructive as to what the FTC expects of cybersecurity programs. A byproduct of the FTC’s actions is a guide to companies to create better privacy and security policies and programs. While these cases don’t necessarily identify how to run “gold-standard” programs, they identify what the FTC expects as minimum standards for efforts to protect data.
The FTC has said that most enforcement actions it has brought involve “basic, fundamental security missteps.” Many are human error, but there are also plenty that show deficiencies in cybersecurity risk assessments and programs. This piece describes baseline guides; companies should consult qualified counsel for specifics. Engaging counsel itself on these issues is a sign to regulators that a company takes cybersecurity seriously. But doing it correctly depends on engaging top legal counsel and experienced advisors early on.
Human Factor. No cybersecurity program is ironclad as long as human error exists and the skills of hackers evolve at the same rate as technology itself. But many cybersecurity breaches are the result of more simple mistakes. The FTC requires “reasonable” efforts, not complete security.
It’s also important to note that cybersecurity solutions are not one-size-fits-all, even for companies within the same industry. Prevention programs depend on the unique circumstances and business practices of each company. Regardless of company or industry, however, a demonstrated commitment to security is required, both to satisfy the government and to protect valuable corporate and customer assets. Continue reading