On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency. Following a wave of what observers perceive as a turf battle between the FTC and FCC (namely the reclassification of broadband internet access services as a common carrier service outside the FTC’s jurisdiction), and a dramatic increase in FCC data security regulatory enforcement actions, the MOU suggests that the FTC and FCC are in fact serious about cooperation and collaboration, especially on data security issues. Although organizations have better transparency and predictability in the enforcement landscape, they should also anticipate more sophisticated investigations based on richer data and improved investigative techniques.
The fact that data breaches are becoming a routine occurrence in the life of a business is no surprise considering the drastic increase over recent years in the volume of data that companies maintain. While routine, breaches are nonetheless an extremely costly part of doing business. According to a 2014 research report by the Ponemon Institute, the average cost of post-breach activities is $1.6 million, with the average cost of lost business an astounding $3.2 million. Since some form of a data breach incident is highly likely, one solid defense is to create a written information security program (WISP). However, a WISP must be more than mere words on paper. In order to create an effective program, a company must comply with its WISP, in conjunction with other measures. And the company’s compliance efforts should be led by top executives in order to underscore the importance of the security issues involved.