FTC Rings in New Year with ‘Major Changes’ to Cybersecurity Orders and Throwback Reference to WISPs

Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders.[1] Citing recent hearings at the FTC, as well as the Commission’s defeat in the closely watched LabMD case,[2] Director Smith highlighted three key takeaways from seven consent orders announced against “an array of diverse companies.”[3]

  1. The new normal is for FTC orders to be “more specific.” Recent orders contain more detailed safeguards that address the FTC’s complaint allegations, in addition to more standard requirements regarding comprehensive, process-based data security programs. “Examples have included yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption.”
  2. The FTC has enhanced “assessor accountability.” The FTC has recently imposed more exacting standards on third-party security assessors themselves, going beyond just requiring the third-party assessment itself. For example, assessors are required to “identify evidence to support their conclusions, including independent sampling, employee interviews, and document review.” Moreover, the FTC has inserted provisions allowing the FTC to replace assessors and prohibit assessors from refusing to produce documentation to the FTC based on privilege grounds.
  3. The FTC’s recent orders “elevate data security considerations to the C-Suite and Board level.” They contain specific provisions mandating that a company’s “written information security program” be presented annually to its Board. In addition, senior officers must now provide sworn, annual certifications of compliance to the FTC. According to Director Smith, this will “force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year.”

These provisions technically apply only to the respondents in the cited orders. But they also lay out the FTC’s current cyber enforcement posture and give organizations an important insight into what may be in store in the aftermath of an enforcement action. At a minimum, companies should expect that the FTC investigations will certainly explore these areas in considerable depth. Accordingly, the scope of what “reasonable security” entails in the marketplace – at least at the FTC – has again shifted.

On this latter point, legal counsel may be most interested in the third “major change” highlighted by Director Smith. In a throwback reference to the “written information security programs” (typically called “WISPs”), Director Smith noted the critical alignment needed between the WISP and the company’s actual security practices. This begs, as a preliminary question, what a WISP is and whether its definition has changed since 2009 when the term was made popular by Massachusetts’ enactment of 201 CMR 17.00 (“Standards for the Protection of Personal Information of Residents of the Commonwealth”). For a decade now, any company that owns or licenses personal information of a Massachusetts resident has been required to implement a risk-based WISP.[4] Do the recent FTC orders change anything in regard to the scope, substance and/or requirements around WISPs? If so, in what way?

To help answer these questions and to assist legal counsel in facilitating a fresh look at their respective WISPs – and in considering whether and how to present them to C-Suite/Board stakeholders – below is a comparative analysis that should help organizations look at their WISP against the FTC’s likely current view. The comparison chart draws from a “compliance checklist” prepared by the Massachusetts Attorney General and attempts to match those checklist items against the WISP requirements set forth in the FTC’s order against Equifax – which by all accounts suffered among the most significant data breaches in history. While not exhaustive, the chart demonstrates broad alignment of the WISP elements over time, with the Equifax order providing more granular details on administrative, physical and technical safeguards.

As always, cybersecurity preparedness and the FTC’s enforcement of security is evolving. In light of the FTC’s guardrails and growing focus on cybersecurity, companies should take a reasoned approach to invest in cybersecurity preparedness by calibrating security processes and controls to their unique risk-posture and industry standards.

Massachusetts WISP Checklist vs. FTC’s WISP Requirements in 2019 Equifax Consent Order[5]

Massachusetts 201 CMR 17.00
“Compliance Checklist”
Requirements for “Mandated Information Security Program” in
Federal Trade Commission’s 2019 FTC/Equifax Order
Do you have a comprehensive, written information security program (“WISP”) applicable to all records containing personal information about a resident of the Commonwealth of Massachusetts (“PI”)? MANDATED INFORMATION SECURITY PROGRAM – IT IS FURTHER ORDERED that Defendant shall establish and implement, and thereafter maintain, for twenty years after entry of this Order, a comprehensive information security program (“Information Security Program”) designed to protect the security, confidentiality, and integrity of Personal Information. To satisfy this requirement, Defendant must, at a minimum:

A. Document in writing the content, implementation, and maintenance of the Information Security Program, including the following: Documented risk assessments required under Section II.D; documented safeguards required under Section II.E; . . . and a description of the procedures adopted to implement and monitor the Information Security Program, including procedures for evaluating and adjusting the Information Security Program as required under Section II.I.

Does the WISP include administrative, technical, and physical safeguards for PI protection? E. Design, implement, maintain, and document safeguards that control for the material internal and external risks Defendant identifies to the security, confidentiality, or integrity of Personal Information …
Have you designated one or more employees to maintain and supervise WISP implementation and performance? C. Designate a qualified employee or employees to coordinate, oversee, and be responsible for the Information Security Program.
Have you identified the paper, electronic and other records, computing systems, and storage media, including laptops and portable devices that contain personal information? 3. Identifying and documenting a comprehensive information technology (“IT”) asset inventory that includes hardware, software, and location of the assets.
Have you chosen, as an alternative to treat all your records as if they all contained PI? [No clear parallel in FTC/Equifax Order]
Have you identified and evaluated reasonably foreseeable internal and external risks to paper and electronic records containing PI? D. Assess, at least once every twelve months, internal and external risks to the security, confidentiality, or integrity of Personal Information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information and document those risks that are material. Defendant shall further assess and document internal and external risks as described above as they relate to a Covered Incident promptly (not to exceed forty-five days) following verification of such a Covered Incident.
Have you evaluated the effectiveness of current safeguards?

 

F. Assess, at least once every twelve months, the sufficiency of any safeguards in place to address the risks to the security, confidentiality, or integrity of Personal Information, and evaluate and implement any needed modifications to the Information Security Program based on the results. Defendant shall further assess the sufficiency of safeguards as described above, as they relate to a Covered Incident, promptly (not to exceed forty-five days) following verification of such an incident. Each such assessment must evaluate safeguards in each area of relevant operation, including: Employee training and management; Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and Prevention, detection, and response to attacks, intrusions, or other system failures.
Does the WISP include regular ongoing employee training, and procedures for monitoring employee compliance?

Does the WISP include disciplinary measures for violators?

10. Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:

a. At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and

b. Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing.

Does the WISP include policies and procedures for when and how records containing PI should be kept, accessed or transported off your business premises? [No clear parallel in FTC/Equifax Order]
Does the WISP provide for immediately blocking terminated employees, physical and electronic access to PI records (including deactivating their passwords and user names)? [No clear parallel in FTC/Equifax Order]
Have you taken reasonable steps to select and retain a third-party service provider that is capable of maintaining appropriate security measures consistent with 201 CMR 17.00? H. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue.
Have you required such third-party service provider by contract to implement and maintain such appropriate security measures? H. Select and retain service providers capable of safeguarding Personal Information they access through or receive from Defendant, and contractually require service providers to implement and maintain safeguards tailored to the amount and the type of Personal Information at issue.
Is the amount of PI that you have collected limited to the amount reasonably necessary to accomplish your legitimate business purposes or to comply with state or federal regulations? [No clear parallel in FTC/Equifax Order]
Is the length of time that you are storing records containing PI limited to the time reasonably necessary to accomplish your legitimate business purpose or to comply with state or federal regulations? [No clear parallel in FTC/Equifax Order]
Is access to PI records limited to those persons who have a need to know in connection with your legitimate business purpose, or in order to comply with state or federal regulations? 5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls.
In your WISP, have you specified the manner in which physical access to PI records is to be restricted?

 

Have you stored your records and data containing PI in locked facilities, storage areas or containers?

F. … Each such assessment must evaluate safeguards in each area of relevant operation, including: Employee training and management; Information systems, such as network and software design, or information processing, storage, transmission, and disposal; and prevention, detection, and response to attacks, intrusions, or other system failures.
Have you instituted a procedure for regularly monitoring to ensure that the WISP is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of PI; and for upgrading it as necessary?

 

Are your security measures reviewed at least annually, or whenever there is a material change in business practices that may affect the security or integrity of PI records?

 

I. Evaluate and adjust the Information Security Program in light of any changes to Defendant’s operations or business arrangements, including, without limitation, acquisition or licensing of any new information systems, technologies, or assets through merger or acquisition, a Covered Incident, or any other circumstances that Defendant knows or has reason to know may have a material impact on the effectiveness of the Information Security Program. At a minimum, Defendant must evaluate the Information Security Program at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident and modify the Information Security Program based on the results.
Do you have in place a procedure for documenting any actions taken in connection with any breach of security; and does that procedure require post-incident review of events and actions taken to improve security? G. Test and monitor the effectiveness of the safeguards at least once every twelve months and, as they relate to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and modify the Information Security Program based on the results. Such testing shall include vulnerability testing of Defendant’s network at least once every four months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident, and penetration testing of Defendant’s network at least once every twelve months and, as it relates to a Covered Incident, promptly (not to exceed sixty days) following verification of such an incident.
Do you have in place secure authentication protocols that provide for:

−          Control of user IDs and other identifiers?

−          A reasonably secure method of assigning/selecting passwords, or for use of unique identifier technologies (such as biometrics or token devices)?

−          Control of data security passwords such that passwords are kept in a location and/or format that does not compromise the security of the data they protect?

−          Restricting access to PI to active users and active user accounts?

−          Blocking access after multiple unsuccessful attempts to gain access?

 

5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls;

6. Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;

7. Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges.

Do you have secure access control measures that restrict access, on a need-to-know basis, to PI records and files?

 

Do you assign unique identifications plus passwords (which are not vendor-supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?

6. Implementing access controls across Defendant’s network, such as multi-factor authentication and strong password requirements;

7. Limiting user access privileges to systems that provide access to Personal Information to employees, contractors, or other authorized third parties with a business need to access such information and establishing regular documented review of such access privileges.

Do you, to the extent technically feasible, encrypt all PI records and files that are transmitted across public networks and that are to be transmitted wirelessly?

 

Do you, to the extent technically feasible, encrypt all PI stored on laptops or other portable devices?

8. Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest. To the extent that any of the identified protections are infeasible, equivalent protections shall include effective alternative compensating controls designed to protect unencrypted data at rest or in transit, which shall be reviewed and approved by the qualified employee or employees designated to coordinate, oversee, and be responsible for the Information Security Program.
Do you have monitoring in place to alert you to the occurrence of unauthorized use of or access to PI? 4. Designing and implementing protections such as network intrusion protection, host intrusion protection, and file integrity monitoring, across Defendant’s network and IT assets, including Defendant’s legacy technologies.
On any system that is connected to the Internet, do you have reasonably up-to-date firewall protection for files containing PI; and operating system security patches to maintain the integrity of the PI?

 

1. Establishing patch management policies and procedures that require confirmation that any directives to apply patches or remediate vulnerabilities are received and completed and that include timelines for addressing vulnerabilities that account for the severity and exploitability of the risk implicated;

5. Designing, implementing, and maintaining measures to limit unauthorized access in any network or system that stores, collects, maintains, or processes Personal Information, such as segmentation of networks and databases and properly configured firewalls.

Do you have reasonably up-to-date versions of system security agent software (including malware protection) and reasonably up-to-date security patches and virus definitions?

 

2. Establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities.
Do you have in place training for employees on the proper use of your computer security system, and the importance of PI security? 10. Establishing regular information security training programs, updated, as applicable, to address internal or external risks identified by Defendant, including, at a minimum:

a. At least annual information security awareness training for all employees, including notifying employees of the process for submitting complaints and concerns pursuant to Section II.E.12; and

b. Training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities, such as cross-site scripting, structured query language injection, and other risks identified by Defendant through risk assessments and/or penetration testing.

[No clear parallel in Massachusetts WISP Checklist] B. Provide the written Information Security Program and any material evaluations thereof or updates thereto to Defendant’s board of directors or a relevant subcommittee thereof, or equivalent governing body or, if no such board or equivalent governing body exists, to a senior officer of Defendant responsible for Defendant’s Information Security Program at least once every twelve months.
[No clear parallel in Massachusetts WISP Checklist]

 

9. Establishing and enforcing written policies, procedures, guidelines, and standards designed to: a. Ensure the use of secure development practices for applications developed in-house; and b. Evaluate, assess, or test the security of externally developed applications used within Defendant’s technology environment.
[No clear parallel in Massachusetts WISP Checklist]

 

11. Establishing a clear and easily accessible process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics.
[No clear parallel in Massachusetts WISP Checklist] 12. … establishing a clear and easily accessible process overseen by a senior corporate manager for employees to submit complaints or concerns about Defendant’s information security practices, including establishing a clear process for reviewing, addressing, and escalating employee complaints or concerns.

 

[1] “New and improved FTC data security orders: Better guidance for companies, better protection for consumers,” FTC Blog Post, available at https://www.ftc.gov/news-events/blogs/business-blog/2020/01/new-improved-ftc-data-security-orders-better-guidance (last accessed Jan. 23, 2020).

[2] LabMD, Inc. v. Fed. Trade Comm’n, 894 F.3d 1221 (11th Cir. 2018). The appeal was handled by a team that included litigators Doug Meal and Michelle Visser who joined Orrick in January 2019.

[3] The seven orders include: ClixSense (pay-to-click survey company), i-Dressup (online games for kids), DealerBuilt (car dealer software provider), D-Link (Internet-connected routers and cameras), Equifax (credit bureau), Retina-X (monitoring app), and Infotrax (service provider for multilevel marketers).

[4] Massachusetts requires that covered businesses take into account “the particular business’ size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security” in designing and implementing WISPs.

[5] This chart matches the Massachusetts WISP requirements, as set forth in the Massachusetts Attorney General’s compliance checklist, against information security program provisions that the FTC imposed on Equifax following disclosure of Equifax’s 2018 data breach. See FTC v. Equifax, Stipulated Order for Permanent Injunction and Monetary Judgment (filed July 23, 2019), available at https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_order_signed_7-23-19.pdf (last accessed Jan. 23, 2020).