In his first blog post of 2020, Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection, described how the agency has improved its orders in data security cases. He cited seven cases as examples, each one addressing allegations of unauthorized access to consumer’s personal information.
These orders, and Mr. Smith’s comments, come alongside pretty significant regulatory changes for dealers with respect to their data security obligations. With California leading the way, a number of states have adopted or are considering new consumer privacy laws that frequently include data security elements. Further, the FTC has proposed changes to two rules under the Gramm-Leach-Bliley Act that would require dealers to step up consumer data protection.
In light of these new or proposed regulatory requirements, automotive dealers across the country and other businesses that collect sensitive consumer information should be taking steps to evaluate their current data security measures. These FTC’s comments on its recent orders are therefore useful because they indicate what types of data security measures regulators want to see in companies and provide a blueprint for dealerships to evaluate their own programs.
Mr. Smith described the orders in FTC’s enforcement cases as improvements based on three factors: the orders are specific, require third-party monitoring, and elevate data security to the Board or C-Suite level. Each factor of improvement cited includes lessons for automotive dealers and other businesses.
“[The orders] require that the company implement a comprehensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint,” Smith said. He cited annual employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption as examples. “These requirements not only make the FTC’s expectations clearer to companies, but also improve order enforceability,” he said. Each of these measures is also common to the FTC’s proposed GLB regulations and to data security measures recommended by many experts to comply with state laws like the California Consumer Privacy Act. This should indicate to every business that regulators are converging on a common set of elements that all data security programs should have.
Increased third-party assessor accountability
“We still rely on outside assessors to review the comprehensive data security program required by the orders, and now we require even more rigor in these assessments,” he said. For example, the orders “clearly and specifically” require assessors to identify evidence to support their conclusions, including independent sampling, employee interviews, and document review. The assessors must retain documents related to the assessment and cannot refuse to provide those documents to the FTC on the basis of certain privileges. While these requirements apply directly to enforcement, they also indicate why regulators value third-party assessments and why working with an outside, independent party can be valuable to improve a businesses’ security: outside opinions are more independent and perceived as more honest. Any business working to improve its data security should, in consultation with their legal counsel, consider working with a third-party to assess and improve its data security.
Elevated data security considerations to the C-Suite and boards
The FTC requires in each of its enforcement orders that companies must present their board or similar governing body on an annual basis with a written information security program. In addition, “senior officers must now provide annual certifications of compliance to the FTC. This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year,” Smith said. “Requiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.” Again, these requirements apply directly to enforcement actions, but again are education, as they demonstrate that the FTC and other regulators see data security as the purview of leadership of any business handling consumer personal information. Dealers and other businesses should therefore be prepared to elevate their data security improvement efforts out of the business office and into the C-suite to give this matter the attention it deserves.