Mandated Data Security Program

Posted by Clyde Hutchins | Dec 14, 2016 | 0 Comments

Data Security Program

The Federal Trade Commission (FTC) settled its investigation regarding the massive Ashley Madison data breach that occurred last year. One of the more interesting parts of the settlement is the mandated data security program. The FTC and Ashley Madison agreed that Ashley Madison would implement a comprehensive data security program to prevent future data breaches. The program provides a template for larger organizations to view in operating their own data security programs.

The mandated data security program includes the following features:

(1) The company must have someone at the helm of the program. This might seem intuitive to some, but many companies do not actually have a designated employee or group of employees that are responsible for company data security. I believe that most small to mid size companies do not even think about the issue until hit with a data breach event.

(2) The company should do a risk assessment. In the Ashley Madison case, the parties agreed to biennial risk assessments by qualified, third party risk assessors. Risk assessments by qualified third parties are essential to a company staying on top of its data security program. I personally think biennial assessments are too spread out because of the constantly and rapidly evolving security risks. Annual risk assessments would be more prudent in my opinion. Risk assessments should be done by third parties because internal audits often have "blinders" on when it comes to certain aspects of their data risks. It is better to have a third party come in and take a look.

(3) The company should develop and implement safeguards to minimize the risks and conduct regular testing or monitoring of those safeguards. This is a logical requirement in view of the risk assessment requirement. When the risk assessment identifies problem areas, the company should work to develop a solution to minimize the risk of data breach. According to the settlement, Ashley Madison is required to implement "reasonable" safeguards, so at least with the FTC, it appears that there is a recognition that there is a risk-benefit analysis inherent in determining the best approach to minimize data risks.

(4) The company should contract with its service provides to ensure that they are also required to safeguard personal information. I have always thought that this is a good idea, but difficult to implement. Every company has its own ideas about data security and what is reasonable in that area. It is sometimes difficult to really force a third party to safeguard data through a contractual provision. 

(5) Constant evaluation and adjustment of the data security as needed. This requirement goes without saying.

If you are seeking guidance or counsel on implementing a data security program or handling a data breach, feel free to contact Harmony Law. We may be able to help you resolve the situation.

About the Author

Clyde Hutchins

Clyde Hutchins is the founder of Harmony Law. Mr. Hutchins started his career as a lawyer in Cheyenne, Wyoming. First gaining experience as a law clerk for the district court judges, Mr. Hutchins entered private practice with a Cheyenne firm focused on civil litigation, business law and some general practice law. Later, Mr. Hutchins went to Alaska, where he was the chief litigator for a firm that engaged in bond law, corporate law, securities law, and the broad reach of municipal law. Mr. Hutchins returned to Cheyenne to represent the State of Wyoming in the national tobacco arbitration. While in that position, he developed the consumer protection unit for the Wyoming Attorney General's Office. He led over 120 investigations and enforcement actions in Wyoming and worked on numerous joint cases with the Federal Trade Commission and other states, including Colorado. Mr. Hutchins relocated to Colorado in 2016 and founded Harmony Law. Mr. Hutchins has established Harmony Law in three principal areas of law. First, it is a general practice firm in the areas of business law, estate planning and family law. Secondly, it is a civil litigation firm, practicing law in state and federal courts throughout Wyoming and Colorado. Finally, it is one of the few firms in Wyoming or Colorado that focuses on consumer protection law.


There are no comments for this post. Be the first and Add your Comment below.

Leave a Comment

Comments have been disabled.

Consumer Issues

Harmony Law is one of the few law firms in Colorado and Wyoming that focuses on consumer law. If you have a consumer law issue, please feel free to call 970-488-1857 and speak with Mr. Hutchins.

Explore your Options

It is difficult to make important decisions without knowing all your options. Explore your options with Harmony Law and you will be better equipped to make the right decision in your legal affairs.