As we noted in previous posts, on August 11, 2022, the Federal Trade Commission (“FTC”) announced its Advance Notice of Proposed Rulemaking (“ANPR”) seeking public comment on 95 questions focused on harms stemming from “commercial surveillance and lax data security practices” and whether new trade regulation rules under section 18 of the FTC Act are needed to protect people’s privacy and information.
The ANPR was published in the Federal Register on August 22, 2022 and has a comment period that ends in 60 days on October 21, 2022. Additionally, on August, 29, 2022, the FTC released the final agenda for its September 8, 2022 Commercial Surveillance and Data Security Public Forum seeking public comment on the ANPR.
The FTC has long been focused on data security, and the ANPR as well as its accompanying questions appear to indicate that the Commission is focused on using rulemaking to codify many of the reasonable security practices outlined in its initiatives, enforcement actions, public statements and guidance. To prepare for potential FTC rulemaking regarding data security, businesses should continue to develop FTC compliance programs – including reasonable security safeguards and cybersecurity programs – by evaluating the FTC’s recent actions and guidance.
In Part 3 of our Data Blog series, we focus on the FTC ANPR as it relates to data security. Part 4 will cover artificial intelligence, algorithms and discrimination. Previously, Part 1 provided an overview of the ANPR and the context for the FTC’s rulemaking process, and Part 2 focused on privacy.
Key Data Security Topics Addressed by the ANPR
As indicated by the ANPR’s questions, the FTC is seeking comment on “how potential new trade regulation rules could require or help incentivize reasonable data security” and is focused on evaluating whether new rules should:
- Codify the prohibition on deceptive claims about consumer data security, accordingly authorizing the FTC to seek civil penalties for first-time violations;
- Require businesses to implement administrative, technical and physical data security measures, including encryption techniques, to protect against risks to the security, confidentiality or integrity of covered data;
- Impose data minimizations or purpose limitations on data collection, use and retention;
- Require companies to certify that their data practices meet clear security standards set by the FTC or a third-party entity;
- Draw on the Children’s Online Privacy Protection Act (“COPPA”) Rule or the Gramm-Leach-Bliley Act (“GLBA”), Safeguards Rule for constructive guidance for more general data security rules or more sector-specific rules; and
- Consider other U.S. laws that already include data security requirements and other governments’ data security requirements (e.g., GDPR).
The FTC’s Continued Focus on Data Security
Since 2002, as noted in its 2020 Report on Resources Used and Needed for Protecting Consumer Privacy and Security, the FTC has brought more than 70 cases against companies that have allegedly engaged in unfair or deceptive practices that included inadequate protection of consumers’ personal data. Additionally, the FTC’s recent enforcement actions continue to address reasonable security and companies’ actions and practices in the wake of data breaches.
The FTC has taken steps to address data breach reporting for businesses, including those that deal with consumers’ health information as evidenced by the FTC’s promulgation and enforcement of the Health Breach Notification Rule that applies to entities not covered by HIPAA. The FTC has periodically reviewed the Health Breach Notification Rule and recently issued a September 2021 policy statement affirming that health apps and connected devices that collect or use consumers’ health information (e.g., fertility, heart health, glucose levels) must comply with the rule. The FTC has also promulgated and revised rules pursuant to sector-specific statutes, such as COPPA and GLBA. In October 2021, for example, the FTC announced significant updates to the GLBA Safeguards Rule and published guidance in May 2022 to help companies comply with the revised Rule. As noted in the ANPR, the Commission is currently conducting its regular periodic review of the COPPA Rule and COPPA enforcement. In addition, on August 25, 2022, the FTC issued its Report to Congress on COPPA Staffing, Enforcement and Remedies, which details the number of investigations into violations of the COPPA Rule in the past five years and, if applicable, the types of relief obtained.
Over the past few years, the FTC has also published a series of blog posts addressing a wide array of data security topics, including the importance of effective breach disclosures and the breach disclosure requirement, securing sensitive information, data breach prevention and response, corporate board oversight, ransomware prevention, and the need to remediate the Log4j vulnerability.
Although FTC enforcement actions are company specific, and may not apply to every company, as a general rule these actions by the FTC should be considered as companies review the ANPR and consider potential areas to improve their data security programs.
Mitigation Strategies Related to Data Security Risks
Although the promulgation of new trade regulation rules related to the ANPR are likely several years away (if the rulemaking process proceeds at all), businesses can consider the ANPR as a potential roadmap for risk-mitigation strategies. Although every company is different and therefore should conduct an individualized risk assessment, generally these strategies may include:
- Implementing a written information security program, which may include written standards, policies, procedures or practices (including regular testing and assessments), such as those that apply to the oversight of service providers.
- Focusing on enhancing practices and procedures related to data lifecycle, including mapping, retention, deletion and destruction. Companies should consider implementing a systematic process for inventorying and deleting consumers’ personal information that is no longer necessary, especially given the rise of data minimization and purpose limitation requirements. As the FTC has explained, companies should take steps to understand the types of data they collect, use and process and should consider implementing proper disposal procedures, especially for sensitive data. Data minimization can also help companies limit the attack surface available for threat actors and help companies identify their most important datasets that may require additional protection and safeguards.
- Mapping cybersecurity controls to an existing cybersecurity framework (e.g., NIST, CIS Controls, ISO). One approach would be to conduct a risk assessment that incorporates a review of the cybersecurity controls, maps the controls to a framework, and then maps those findings to existing and proposed regulations. Risk assessment results can be shared with senior management and the board of directors and can serve as a roadmap for continued cyber maturity. Companies can, for example, evaluate “The Profile” developed by the Cyber Risk Institute, which maps regulations to an expanded NIST framework.
- Implementing reasonable data security practices to protect the personal information they collect from customers. These practices will vary for different types of companies, but may include requiring strict password policies and access controls, segmenting networks, prohibiting clear text storage of consumer’s personal information, enhanced logging and monitoring for privileged accounts, providing adequate security training to personnel, inventorying devices connected to the company’s network, and following proper incident response procedures (e.g., monitoring the company’s network for malware used in a previous intrusion). Companies can also consider common themes and recent developments with respect to state law cybersecurity requirements.
- Regularly testing and assessing the effectiveness of the key controls, systems, and procedures in the company’s information security program. In particular, companies should consider whether they are implementing a process for receiving and addressing security vulnerability reports from third-party researchers, academics, and other members of the public. Companies can also consider steps to adequately assess the cybersecurity risk posed to consumers’ personal information stored on the company’s network by evaluating whether the business should be performing adequate code review of the company’s software, penetration testing of the company’s network and software, implementing controls such as patch management policies and procedures, reasonable intrusion protection controls in legacy systems, and readily available protections against well-known and reasonably foreseeable vulnerabilities.
- Performing pre-contract due diligence on service providers and third parties, and ensuring contractual protections and ongoing monitoring are in place to protect the company’s networks, its data, and consumers’ data. To accomplish this, companies should consider contractually requiring service providers to adopt and implement information security standards, policies, procedures or practices, and adequately monitoring service providers. Companies should also consider limiting the locations to which third parties can upload unknown files on the company’s network, as well as adequately restrict third-party vendors’ access to the network (e.g., by restricting connections to specified IP addresses or granting temporary, limited access, as necessary).
To enhance readiness and compliance of data security programs before any new regulations are promulgated, businesses should review the ANPR, assess whether their data security practices may be implicated by the ANPR’s key topics and questions, and consider revisiting and enhancing their programs in light of the FTC’s guidance and enforcement actions.
As noted above, Part 1 of this Data Blog series provided background on the current ANPR and the context to the FTC’s approach to rulemaking under Section 18 of the FTC Act. Part 2 focused on privacy. Part 4 will cover artificial intelligence, algorithms and discrimination.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise Law Clerk Melissa Muse and former Law Clerk Lily Coad for their work on this Debevoise Data Blog.