On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed review of the FTC’s areas of enforcement and international privacy protection updates, as well as the FTC’s domestic educational and cyber initiatives in 2017.
As it is primarily an enforcement agency, the FTC recapped its 2017 enforcement efforts in the data privacy world. Most importantly, on Dec. 14, 2017, the FTC regained jurisdiction from the Federal Communications Commission to regulate internet access service (BIAS) providers. This represents a massive shift back to the FTC in data privacy enforcement jurisdiction. We previously discussed this decision and its impact in a recent blog post.
The FTC explained that the goal of enforcement is to protect consumer personal information. The FTC accomplishes this task by, for example, bringing privacy and data security cases against violating companies and compelling them to change their data security procedures to cover “implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and providing robust transparency and choice mechanisms to consumers.” The FTC conducted research and reporting through workshops and educational materials on best practices regarding data security. The FTC report provided descriptions of 2017 privacy and data security matters that the FTC prosecuted.
The FTC also recapped its international enforcement efforts. It sought enforcement actions under the U.S.-EU Safe Harbor Program, its first under the Privacy Shield, and under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR).
In addition to its enforcement efforts, the FTC reflected on its educational outreach and guidance to businesses in 2017, which included preparing research regarding phishing prevention technology and encouraging businesses to use recommended tools. The FTC found that although most companies use authentication technology, fewer than 10 percent use Domain Message Authentication Reporting & Conformance (DMARC) to authenticate email.
In 2017, the FTC made a concerted effort to educate small businesses on cybersecurity threats and response. It created a website specifically for small business owners, providing education and tips on cyber risks and response details for data breaches. Further, the FTC presented and held several roundtables throughout the country regarding small businesses and data security. Finally, the FTC prepared several videos for businesses on NIST’s cybersecurity framework, data breach response, ransomware and email authentication.
Given the potential magnitude and increasing frequency of data privacy breaches and the ever-changing data privacy enforcement regulations, businesses should consider and review possible implementation of FTC’s cybersecurity recommendations and strategies.