On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
The Law of Securing Consumer Data on Networked Computers
In the absence of an overarching data security framework or clear statutory authority, the primary cop on the consumer data security beat has been the FTC. Since 2002, the FTC has brought and settled over 50 enforcement actions against businesses for allegedly maintaining insufficient data security practices, primarily under its authority to regulate “unfair or deceptive acts or practices in or affecting commerce” under Section 5 of the FTC Act. Some states have contributed to the enforcement landscape under so-called “Little FTC Acts,” which grant them parallel and coextensive authority, as well as a few state laws that provide more granular cybersecurity requirements, such as Massachusetts. But none has been as active, or has broken as much new ground, as the FTC.
Due to the broad authority the FTC claims to regulate data security, and its uncertain and incremental enforcement approach of regulation-by-settlement, it is not always clear to businesses what security measures they need to implement to avoid violating the law. This particularly is the case with respect to technical security measures used to secure remotely accessible networks and databases, where technology changes frequently and network compromises are common, if not expected, in some circumstances.
In the context of this lack of clarity, last year I published an article in the Journal of Internet Law, The Law of Securing Data on Networked Computers, that examined the FTC’s complaints and informal guidance to clarify what technical data security measures the Commission believes that companies are legally required to apply under Section 5 of the FTC Act to consumer data stored on Internet-connected or other network computers. The article groups these technical security measures, which form the de facto legal standard followed by the FTC and many state regulators, into four general categories:
- Testing and monitoring for reasonably foreseeable vulnerabilities and threats, such as code review, anti-malware, filtering outbound traffic, and monitoring of activity logs.
- Network architecture requirements, including network perimeter controls, segregation of networks, and limiting the connection of external computers or devices.
- Use of encryption, when sensitive consumer data is in transit over public or wireless networks, and when it is at rest.
- Access control and authentication, such as requiring proper user authentication before providing access to data, user credentialing procedures, and password requirements.
The article also suggests steps that businesses can take to mitigate the risk of a regulatory data security action, a breach notification requirement, or a lawsuit.
For a copy of The Law of Securing Consumer Data on Networked Computers, click here.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016