How to Interpret the FTC’s Vague Data Security Standards

By on April 20, 2015

Judith A. Archer and Jami Mills Vibbert, Norton Rose Fulbright U.S. LLP

The Federal Trade Commission Act, Section 5, makes unlawful any “unfair or deceptive acts or practices in or affecting commerce.”

Relying on Section 5, the Federal Trade Commission has aggressively pursued over fifty companies on a variety of data security issues, such as failing to take “reasonable” steps to secure data or safeguard consumer information and making false or misleading statements about their security measures. Most of these actions resulted in onerous settlements. Yet, the FTC has not promulgated written rules or standards prescribing what reasonable safeguards are.

The FTC requires “reasonable oversight” of service providers, and that includes affirmative steps to ensure that they employ appropriate protections for consumer information. Specifically, companies should: Review information concerning the data security practices of service providers. Require that service providers maintain security measures capable of safeguarding consumer information. Ensure that they have access only to consumer data that directly relates to their business purpose, and for long enough to accomplish it. Use fictitious data sets where appropriate, and verify that service providers securely remove data when it is no longer necessary.

Companies that employ some or all of the above measures should decrease the likelihood of an FTC action or provide a concrete basis to defend one, based on their having taken reasonable measures pursuant to a comprehensive data security program. Given the potential effect of an FTC action, that means decreasing the risk of significant future expense and burden.

Read the full article at:

Today's General Counsel

Leave a Reply

Your email address will not be published. Required fields are marked *

Do NOT follow this link or you will be banned from the site!