The Federal Trade Commission (FTC) is the de facto federal data security and privacy enforcement authority in the U.S.
Did you know that?
Even if your company has a specific compliance mandate, such as HIPAA or PCI, you still have to practice reasonable cybersecurity, as the FTC defines it, across your entire organization.
This sculpture, one of a pair found outside of the Federal Trade Commission Building, is entitled “Man Controlling Trade” and was completed for the FTC Building in 1942 by New York sculptor Michael Lantz. Photo by Jonathan B. Morgan.
Every Organization Operating in The U.S.
Over the past 15 years, the FTC has established its cybersecurity leadership through over 60 settlements and lawsuits.
More are coming.
The FTC takes its position on cybersecurity from a modern interpretation of the Federal Trade Commission Act of 1914:
“Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” – (15 U.S.C. § 45)
This means if you say in your privacy policy that you don’t collect the Social Security numbers of your customers, you better not do so.
And, if your website says you encrypt all personally identifiable information, you’d better do that.
To do otherwise, in either case, you could be found to have committed an “unfair or deceptive act.”
What’s Reasonable?
The FTC says “reasonable security measures” mean you are doing what’s appropriate for:
- An entity of similar size and sophistication
- Given the type, amount and methods of data collected
Thus, a small retailer will not be compared to a large insurance company. Or even a medium-sized one. They aren’t of a comparable size or even in the same industry.
They probably don’t collect the same data, either.
Cybersecurity Must Be Practiced
The FTC also says reasonable cybersecurity is more than just checking boxes. Security must be practiced.
Here are some example cases, organized by the five top-level functions of the NIST Cybersecurity Framework:
What typically happens to a company that settles with the FTC over cybersecurity?
- The typical consent order usually lasts for 20 years.
- It prohibits misrepresentations about data security.
- It requires the company to correct any problem security measures.
- The company must establish a comprehensive information security program with safeguards suitable for the company and the type of protected data.
- It also requires independent risk assessments as well as periodic reporting of the findings to the FTC.
- Companies must also document their compliance efforts and report material changes to the agency.
In other words, 20 years of close, personal supervision by the government to make sure you do the things that you should have already been doing.
Yikes.
Cyber Risk Opportunities helps middle market companies practice reasonable cybersecurity by prioritizing and reducing your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.
Get in touch today to learn more and take advantage of a free 30-minute Q&A session with one of our cyber risk experts. Call 253-332-7867, or email us at info@cyberriskopportunities.com.