FTC Brings Clarity to its Data Security Enforcement Orders Following Criticism That They Were ‘Unenforceably Vague’’
As part of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century, The FTC held a hearing in December 2018 that specifically considered how it might improve its data security orders while also mindful of the 11th Circuit’s 2018 LabMD decision, which struck down an FTC data security order as unenforceably vague. Based on this learning, in 2019 the FTC made significant improvements to its data security orders. These improvements are reflected in seven orders announced this year against an array of diverse companies: ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and Infotrax (service provider for multilevel marketers).
The improvements fall into three categories.
- The orders are more specific.
- The orders increase third-party assessor accountability.
- The orders elevate data security considerations to the C-Suite and Board level.
The new orders create additional incentives for high-level oversight of, and appropriate attention to, data security and mean companies that handle personal data should examine their technical and organizational data security practices to ensure they can withstand tighter agency scrutiny.