Step 1. Industry-wide Standard Security Measures.

The Federal Trade Commission (theFTC”) is the major cybersecurity federal enforcer in the United States. A number of enforcement actions based on inadequate information security measures brought by the FTC in the last two decades were due to the failure of businesses to implement readily available industry-wide security applications. Processors of personally identifiable information (the “PII”) should consider employing widely-used information security practices such as encryption, multifactor authentication for access, strong passwords, firewalls and SSL (Secure Socket Layers), VPN (Virtual Private Network) for remote access, TLS (Transfer Layer Security) for data transfers, etc. If an organization commits in its Privacy and/or Information Security Policy to take reasonable steps to secure its client’s PII, government regulators anticipate that business will abide by its commitments and take steps to invest sufficient resources to implement reasonable information security measures.

As of today, the FTC has not issued one separate legally binding comprehensive federal regulation that would serve as a clear prevailing guideline when it comes to information security in the U.S. The agency is expected to eventually pass such regulation. Meanwhile, businesses should turn to filed complaints, final decisions, and consent decrees in the past FTC’s information security enforcement actions for guidance on what the agency considers inadequate information security protection and adjust their practices accordingly if necessary.

A handful of states including New York (“Stop Hacks and Improve Electronic Data Security Act” — The SHIELDS Act) and Massachusetts (Data Security regulations issued by the MA DCA (201 Mass. Code Reg. 03), have passed statutes that provide a good pathway on what information security measures are considered adequate when processing information collected from their residents and operating in the particular state. The Ohio Data Protection Act allows businesses to “reasonably conform” to one of the following industry-recognized standards in order to satisfy Ohio’s minimum information security requirements: NIST Cybersecurity Framework, NIST Special Publication 800-171, NIST special publications 800-53 and 800-53a, FedRAMP security assessment framework or ISO2700.

The FTC’s findings from its enforcement actions, combined with regulations passed by the states, are the main sources of the regulatory framework when it comes to securing PII in the U.S.

Read the introduction to “12 Steps” previously published to this blog for more information on cybersecurity.

“Step 2” coming soon…