The FTC will consider lenient enforcement actions when firms have taken reasonable precautions but will stop short of safe harbor provisions
If, in the wake of major cyber-breaches at Target and Neiman Marcus, you haven't seen the writing on the wall about the regulatory ramp-up concerning data security, you're not paying close-enough attention.
Earlier this week, attorney general Eric Holder put pressure on Congress to pass legislation creating national standards for notifying consumers when a company has experienced a data breach. Although he didn't specify what the legislation should include, in his weekly video address Holder said it would 'enable law enforcement to better investigate these crimes and hold compromised entities accountable when they fail to keep sensitive information safe.'
At a Senate Judiciary Committee where senior executives from Target and Neiman Marcus testified earlier this month, some members of Congress were clearly not satisfied with the methods the companies said they used to notify customers of the breaches.
Last week Julie Brill, a member of the Federal Trade Commission (FTC), told companies to take 'more aggressive' action to safeguard consumer privacy, including installing mechanisms to ensure they're using data appropriately while protecting customers' anonymity, as reported by the CorporateCounsel blog.
Brill also urged companies to 'do everything technically possible' to eliminate all identifying markers from customer data and voiced support for proposals to create consumer subject review boards tasked with responsibility for gauging whether consumer data programs are legal and ethical. She went as far as to suggest firms hire algorithm experts to evaluate future data projects.
Brill isn't the only one of the four FTC commissioners to have spoken out on the need for companies to create a plan to strengthen their data security practices. In a radio interview with Hugh Hewitt on February 5, FTC commissioner Maureen Ohlhausen said the FTC expects companies 'to take reasonable precautions' against data breaches but won't provide a safe harbor that would indemnify them altogether from enforcement actions.
'What's reasonable is based on the sensitivity and the volume of consumer information the company holds, the size and complexity of the business, and the cost of the tools available to improve security and reduce vulnerabilities,' she said in the interview. 'So if a company has taken appropriate and reasonable steps, that doesn't mean it would be liable if a hacker happened to overcome those reasonable and appropriate steps. It's not a per se liability kind of issue. If a company has taken appropriate precautions, we would not say it had violated the FTC Act.'
At a panel discussion on economic crime hosted by PwC last week, Rob Kuzhami, the SEC's former director of enforcement, warned that stepping up preventative measures is the most logical course given the high fines regulators are levying on companies. He told attendees to expect tougher enforcement as the government seeks greater tools and penalty authority, including requiring admissions of guilt as part of settlements.
In a corporate alert for directors published in December, Akin Gump Strauss Hauer & Feld urged the board or its appropriate committee to review with management the adequacy of the company's cyber-risk management practices, starting with whether measures put in place align with the company's cyber-risk profile. The alert suggested boards stay on top of contingency plans for responding to a data breach and efforts being made to monitor cyber-security risks at vendors and other third-party service providers.