Jun 242016

FTC Hosts Fourth Start with Security Event in Chicago

Colleen Theresa Brown, Vivek K. Mohan and Jason Manion
, , , ,

The Federal Trade Commission hosted its fourth Start with Security event in Chicago, IL on June 15, 2016. This event was the latest installment of the Start with Security business education initiative launched last summer to engage in proactive outreach with the business community on information security standards and FTC expectations at a time when the FTC’s authority to reactively regulate data security was being challenged in federal court.  In addition to the Start with Security events, the FTC also responded by synthesizing their 50+ data security settlements into “10 practical lessons” to guide companies looking to proactively comply with FTC data security expectations.

FTC representatives at the event included FTC Commissioner Maureen Ohlhausen; the Acting Director for the Midwest Region, Todd Kossow; the Enforcement Director for the FTC Office of Technology Research and Investigation, Steve Wernikoff; and three Division of Privacy and Identity Protection attorneys: Cora Han, Jim Trilling, and Andrea Arias.

The event was targeted towards startups and small businesses and focused more on technology and business considerations than on legal principles. However, the topics chosen by FTC representatives provide clues about which areas of data security the FTC thinks are important, especially for new companies that lack the data security resources available to bigger companies.

Some takeaways from the event include the following:

  • Data security makes good business sense: Panelists emphasized that there is now plenty of data about the costs of data breaches to support the claim that investments in data security make good business sense. Since the FTC focuses on the “reasonableness” of data security practices during enforcement actions, businesses should know that there may be a presumption that reasonable businesses will invest in data security.
  • Data security should be a central part of your business culture: Data security should not be an afterthought for businesses. Businesses should focus on creating a security-aware culture, engage in threat modeling to identify and resolve data security risks, and leverage existing data security tools and the expertise of the data security community.
  • Data security should be built into product development: For businesses developing software (or Internet of Things and other connected products), data security should be built into all stages of the product development. Businesses should invest in static analysis, dynamic analysis, penetration testing, and unit testing. Some businesses might even consider implementing bug bounty programs to incentivize third parties to report bugs.
  • Data security should be central in your relationship with third party providers: Data security considerations should inform choices of, and relationships with, third party providers. This includes third party technological or cloud-based services, but also includes any third parties that can affect data security (such as the HVAC vendor in the Target data breach case.) When choosing third party providers, businesses should conduct due diligence and ensure that data security provisions are included in contracts.
  • Data security should inform your network and authentication choices: Because many data breaches happen through phishing, brute force attacks, and authentication bypass vulnerabilities, businesses should focus on data security when making network and authentication choices. This should include a focus on training employees and developing processes to ensure that data security policies are being consistently enforced.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Vivek K. Mohan

vmohan@sidley.com

Jason Manion

jmanion@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.