Mandated Data Security Program

Posted by Clyde Hutchins | Dec 14, 2016 | 0 Comments

Data Security Program

The Federal Trade Commission (FTC) settled its investigation regarding the massive Ashley Madison data breach that occurred last year. One of the more interesting parts of the settlement is the mandated data security program. The FTC and Ashley Madison agreed that Ashley Madison would implement a comprehensive data security program to prevent future data breaches. The program provides a template for larger organizations to view in operating their own data security programs.

The mandated data security program includes the following features:

(1) The company must have someone at the helm of the program. This might seem intuitive to some, but many companies do not actually have a designated employee or group of employees that are responsible for company data security. I believe that most small to mid size companies do not even think about the issue until hit with a data breach event.

(2) The company should do a risk assessment. In the Ashley Madison case, the parties agreed to biennial risk assessments by qualified, third party risk assessors. Risk assessments by qualified third parties are essential to a company staying on top of its data security program. I personally think biennial assessments are too spread out because of the constantly and rapidly evolving security risks. Annual risk assessments would be more prudent in my opinion. Risk assessments should be done by third parties because internal audits often have "blinders" on when it comes to certain aspects of their data risks. It is better to have a third party come in and take a look.

(3) The company should develop and implement safeguards to minimize the risks and conduct regular testing or monitoring of those safeguards. This is a logical requirement in view of the risk assessment requirement. When the risk assessment identifies problem areas, the company should work to develop a solution to minimize the risk of data breach. According to the settlement, Ashley Madison is required to implement "reasonable" safeguards, so at least with the FTC, it appears that there is a recognition that there is a risk-benefit analysis inherent in determining the best approach to minimize data risks.

(4) The company should contract with its service provides to ensure that they are also required to safeguard personal information. I have always thought that this is a good idea, but difficult to implement. Every company has its own ideas about data security and what is reasonable in that area. It is sometimes difficult to really force a third party to safeguard data through a contractual provision. 

(5) Constant evaluation and adjustment of the data security as needed. This requirement goes without saying.

If you are seeking guidance or counsel on implementing a data security program or handling a data breach, feel free to contact Harmony Law. We may be able to help you resolve the situation.

About the Author

Clyde Hutchins

Clyde Hutchins is the founder of Harmony Law. Mr. Hutchins started his legal career in Cheyenne, Wyoming as a law clerk for the district court judges. Mr. Hutchins then entered private practice with a Wyoming based litigation and business law firm. Later, Mr. Hutchins went to Alaska, where he was the chief litigator for a firm that engaged in bond law, corporate law, securities law, and municipal law. The State of Wyoming hired Mr. Hutchins from Alaska to represent the State of Wyoming in the national tobacco arbitration and act as its tobacco settlement attorney. While in that position, as a hobby, he developed an enforcement unit for consumer protection for Wyoming residents. Mr. Hutchins moved to Colorado in 2016 and founded Harmony Law, LLC. Harmony Law is primarily engaged in civil litigation. It is also a general practice firm in the areas of business law, estate planning, consumer law and family law. Harmony Law is active in all state and federal courts throughout Wyoming and Colorado.


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Comments have been disabled.