Dealing with Federal Trade Commission (“FTC”) cyber security standards can be a daunting task, as the FTC enforces cyber security issues under Section 5 of the Federal Trade Commission Act, which prohibits “deceptive” and “unfair” business practices generally. Beyond that general mandate, however, there are no hard-and-fast guidelines as to what the FTC considers to be “reasonable” by way of cyber security efforts a company may have taken before a breach. Indeed, the FTC has pointed to at least seven different sources of information as to what a company should do to keep customer and employee data safe:
“[FTC standards] can be found in speeches, business education, Congressional testimony, articles, blog entries, these concepts have been laid out pretty clearly in Commission materials, as well as other FTC settlements in the data security area.” In re LabMD, Deposition of Daniel Kaufman, Deputy Director, Bureau of Consumer Protection, FTC, May 12, 2014.
Further, the first court to address the issue noted that “the contour of an unfairness claim in the data-security context, like any other, is necessarily ‘flexible’,” referencing “industry standard practices,” as the touchstone for what should be considered reasonable. See FTC v. Wyndham Worldwide Corp., et al. (DNJ – 2:13-cv-01887-ES-JAD).
Against this backdrop of uncertainty, FTC Commissioner Maureen Ohlhausen has recently revealed that where the FTC begins an investigation into a data breach, it closes 70% of those investigations, based on a finding that the efforts the subject of the investigation took in relation to cyber security were reasonable under the circumstances. Her comments are here: https://youtu.be/GCxoQ445jLc?t=6m40s
This would appear to be good news, and shows that the FTC is looking hard at the facts and circumstances of each case individually. That being said, the costs and disruption, as well as the potential risk of FTC investigation, can be enormous. Case in point, the recent $100 million fine Lifelock agreed to pay for violations of a prior stipulated order concerning cyber security failures it had entered into with the FTC. Even if the FTC is closing the majority of the cases it opens, the lack of clarity as to what standards the FTC will apply when investigating a breach perpetuates the uncertainty to a breached entity inherent in any FTC investigation.