On July 21, 2017, the FTC announced its publication of “Stick with Security,” a series of blog posts on reasonable steps that companies should take to protect and secure consumer data. The posts will build on the FTC’s Start with Security Guide for Businesses, and will be based on the FTC’s 60+ law enforcement actions, closed investigations and questions from businesses. Every Friday for the next few months, the FTC will publish on its Business Blog a new post focusing on each of the 10 “Start with Security” principles.
Its first post, “Stick with Security: Insights into FTC Investigations,” is focused on themes common to investigations that the FTC has closed, and which did not result in enforcement actions. One main reason the FTC may close an investigation is if the company’s practices line up with the FTC’s 10 “Start with Security” principles. The FTC cites as an example having effective procedures in place to train staff, keep sensitive information secure, address vulnerabilities and respond quickly to new threats. The FTC also considers whether proceeding with the investigation is a good use of resources. For example, the FTC may not consider an investigation high priority if a company experiences a breach affecting only a small amount of non-sensitive information. Another consideration is whether the FTC is the right agency to pursue the investigation. Recognizing that it is the “primary cop on the beat” on data security matters, the FTC notes that it works with other agencies with similar missions (including the DOJ, HHS, CFPB and FCC), which may be more appropriate to handle an investigation, depending on the circumstances. Lastly, the FTC prioritizes privacy and security issues that pose a real, and not just theoretical, risk to data. An example of a theoretical risk that the FTC may not choose to pursue is a vulnerability in a mobile device that would require both possession of the consumer’s device and highly sophisticated tools to exploit.
The FTC’s next blog post, to be published this Friday, July 28, will focus on “initial steps to start with security.”