Blog

Mandated Data Security Program

Posted by Clyde Hutchins | Dec 14, 2016 | 0 Comments

Data Security Program

The Federal Trade Commission (FTC) settled its investigation regarding the massive Ashley Madison data breach that occurred last year. One of the more interesting parts of the settlement is the mandated data security program. The FTC and Ashley Madison agreed that Ashley Madison would implement a comprehensive data security program to prevent future data breaches. The program provides a template for larger organizations to view in operating their own data security programs.

The mandated data security program includes the following features:

(1) The company must have someone at the helm of the program. This might seem intuitive to some, but many companies do not actually have a designated employee or group of employees that are responsible for company data security. I believe that most small to mid size companies do not even think about the issue until hit with a data breach event.

(2) The company should do a risk assessment. In the Ashley Madison case, the parties agreed to biennial risk assessments by qualified, third party risk assessors. Risk assessments by qualified third parties are essential to a company staying on top of its data security program. I personally think biennial assessments are too spread out because of the constantly and rapidly evolving security risks. Annual risk assessments would be more prudent in my opinion. Risk assessments should be done by third parties because internal audits often have "blinders" on when it comes to certain aspects of their data risks. It is better to have a third party come in and take a look.

(3) The company should develop and implement safeguards to minimize the risks and conduct regular testing or monitoring of those safeguards. This is a logical requirement in view of the risk assessment requirement. When the risk assessment identifies problem areas, the company should work to develop a solution to minimize the risk of data breach. According to the settlement, Ashley Madison is required to implement "reasonable" safeguards, so at least with the FTC, it appears that there is a recognition that there is a risk-benefit analysis inherent in determining the best approach to minimize data risks.

(4) The company should contract with its service provides to ensure that they are also required to safeguard personal information. I have always thought that this is a good idea, but difficult to implement. Every company has its own ideas about data security and what is reasonable in that area. It is sometimes difficult to really force a third party to safeguard data through a contractual provision. 

(5) Constant evaluation and adjustment of the data security as needed. This requirement goes without saying.

If you are seeking guidance or counsel on implementing a data security program or handling a data breach, feel free to contact Harmony Law. We may be able to help you resolve the situation.

About the Author

Clyde Hutchins

Clyde Hutchins is the founder of Harmony Law. Prior to opening Harmony Law, Mr. Hutchins worked in the Wyoming Attorney General's Office for several years where he developed a strong consumer protection enforcement unit. In that position he led over 120 investigations and enforcement actions under the Consumer Protection Act. He worked on numerous joint cases with the Federal Trade Commission and other states, including Colorado, on consumer protection matters. Mr. Hutchins is also a contributing author to Consumer Protection Law Developments, Second Edition. Previous to his work in the Attorney General's Office, Mr. Hutchins was in private practice in Anchorage, Alaska where he was the chief litigator for a firm. Mr. Hutchins represented municipalities on various matters. Mr. Hutchins provided counsel to businesses and investment advisors regarding compliance with securities laws. He was also a bond lawyer and worked on municipal financing matters. Prior to that, Mr. Hutchins practiced civil litigation with a law firm in Cheyenne, Wyoming. Mr. Hutchins devotes his spare time to his family, traveling and enjoying the great outdoors.

Comments

There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Comments have been disabled.

Member of the National Association of Consumer Advocates

Naca badge medium blue grey 0

Harmony Law is one of the few law firms in Colorado and Wyoming that focuses on consumer law. Mr. Hutchins is a member of the National Association of Consumer Advocates and state chair for Wyoming. If you have a consumer law issue, please feel free to call 970-488-1857 and speak with Mr. Hutchins.

Explore your Options

It is difficult to make important decisions without knowing all your options. Explore your options with Harmony Law and you will be better equipped to make the right decision in your legal affairs.

Menu