With 2019 coming to a close, we wanted to take a look at what can be learned from the FTC’s cybersecurity enforcement actions this year.  As we have previously noted, the FTC came under criticism last year in the LabMD decision for not providing companies with sufficient clarity as to what it expects in terms of their cybersecurity measures.  So we thought it would be helpful to see if the FTC’s cybersecurity settlements in 2019 provide any guidance for what the FTC believes companies should (and should not) be doing to protect consumer data.

In total, the FTC reached settlements in six cybersecurity actions in 2019.  The most recent was its settlement with InfoTrax on November 12.  InfoTrax is a Utah-based technology company that provides back-end operations services to multi-level marketing companies.  Beginning in May 2014, InfoTrax suffered a series of intrusions into their servers through which hackers accessed personal information pertaining to almost one million consumers and which remained undetected for a period of almost two years.  The FTC complaint alleged that these intrusions were possible because of the company’s failure to utilize adequate security protections to safeguard the personal information it maintained on behalf of its clients.  It is worth noting that the FTC appears to be broadening its reach in cyber enforcement by targeting InfoTrax, a service provider whose clients are other businesses, and not individual consumers.

The InfoTrax case follows a familiar formula for FTC cybersecurity enforcement, with guidance provided to regulated entities through both the complaint and the settlement.  Generally, recent FTC complaints provide an evolving view of the areas of cybersecurity in which the Commission is most interested, and include some of the “Thou Shalt Nots” for companies hoping to avoid FTC scrutiny.  The InfoTrax complaint, for example, highlighted the failure of the company to:

• Inventory or delete unnecessary personal information;
• Review its software code and test its network;
• Adequately detect and limit malicious file uploads; and
• Adequately segment its network.

While FTC complaints generally tell companies what not to do, the requirements imposed by the settlements provide a road map of affirmative steps that companies can take to strengthen their cybersecurity programs and reduce FTC regulatory risk.  And we are seeing some requirements appearing quite consistently in recent settlements.  For example, all but one of the FTC cyber settlements reached in 2019 directed that the company create a cybersecurity program that is reasonably designed to protect the security, confidentiality, and integrity of covered information.  By contrast, only one settlement centered around the security risks related to the development and management of new products.  Several other requirements appear in every FTC settlement reached in 2019, including that the defendant:

• Put the cybersecurity program content, implementation, and maintenance in writing;
• Designate specific employees to coordinate and be responsible for the program;
• Conduct assessments of internal and external risks to security;
• Regularly test and monitor the effectiveness of cybersecurity safeguards, key controls, systems, and procedures;
• Evaluate and adjust, based on testing and monitoring, any material changes to defendants’ operations or business arrangements, or any other circumstances that may have an impact on the program;
• Assess risk and design safeguards for prevention, detection, and response to attacks or system failures;
• Design reasonable steps to select and retain service providers capable of appropriately safeguarding personal information; and
• Contract with service providers to help implement and maintain appropriate safeguards.

In addition, the majority of defendants were required to expand upon the requirements listed above in some way.  For example, most had to provide a copy of their written cyber program to their board on an annual basis, and/or to conduct risk assessments annually and after a significant cyber incident.

In sum, the cases settled by the FTC in 2019 alleviate many of the concerns expressed following the LabMD decision regarding the clarity of the FTC’s cybersecurity expectations for companies.  In the absence of detailed cybersecurity regulation, the FTC is using each new settlement to refine its data protection standards and to alert regulated entities as to what it expects and what it finds unacceptable.

This was originally posted on Davis Polk’s Cyber Blog on Dec. 17, 2019.