The Federal Trade Commission has brought more than 50 data security cases over the years and now it’s pulling all that case law into guidance for companies.
Along with the guidance, “Start with Security,” the agency said Tuesday it will hold a series of educational conferences to be held across the country, beginning Sept. 9 in San Francisco. There’s also an accompanying new web site.
The initiative could fill in some gaps for companies, which have struggled to figure out exactly what the FTC means by “reasonable” security.
Among all the cases the FTC has brought, just about all of them have settled, except for a couple of defendants, such as Wyndham Worldwide and LabMD, which chose to fight. The companies have accused the agency of overstepping its authority and failing to spell out what is adequate data security. Both cases are still in litigation.
“Although we bring cases when businesses put data at risk, we’d much rather help companies avoid problems in the first place,” said Jessica Rich, the FTC’s consumer protection bureau chief.
The FTC’s guidance boils down its security advice to 10 basic principles and builds on other publications it has published in the past, including Protecting Personal Information and Careful Connections: Building Security in the Internet of Things.
In the guidance, the FTC cautions that its enforcement actions have been settlements and that no findings have been made by a court. (There have been some bills proposed in Congress to give the FTC more authority to set data security rules, but for now, the FTC has to stick to a reasonableness standard.)
“These are settlements – no findings have been made by a court – and the specifics of the orders apply just to those companies, of course. But learning about alleged lapses that led to law enforcement can help your company improve its practices. And most of these alleged practices involve basic, fundamental security missteps,” the FTC wrote.