Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders. Citing recent hearings at the FTC, as well as the Commission’s defeat in the closely watched LabMD case, Director Smith highlighted three key takeaways from seven consent orders announced against “an array of diverse companies.”
The fact that data breaches are becoming a routine occurrence in the life of a business is no surprise considering the drastic increase over recent years in the volume of data that companies maintain. While routine, breaches are nonetheless an extremely costly part of doing business. According to a 2014 research report by the Ponemon Institute, the average cost of post-breach activities is $1.6 million, with the average cost of lost business an astounding $3.2 million. Since some form of a data breach incident is highly likely, one solid defense is to create a written information security program (WISP). However, a WISP must be more than mere words on paper. In order to create an effective program, a company must comply with its WISP, in conjunction with other measures. And the company’s compliance efforts should be led by top executives in order to underscore the importance of the security issues involved.