Inside Regulators’ View of ‘Reasonable Security’

Many U.S. states and territories have laws that require organizations to maintain “reasonable security” to protect personal information. The FTC has expressed a similar expectation of organizations. Oftentimes, however, the applicable cybersecurity laws do not provide further explanation concerning what constitutes reasonable security. How, then, can organizations determine whether regulators would view their security measures as reasonable?

Fortunately, a number of resources exist to help companies evaluate whether they have “reasonable security” in place. First, a handful of the state cybersecurity laws themselves provide guidance. Second, the FTC and certain state regulators have issued guides explaining their views on the issue. And third, recent consent orders and assurances of voluntary compliance (AVCs) with the FTC and state attorneys general provide insight into the regulators’ expectations. 

By piecing these different resources together, CISOs and cybersecurity professionals can begin to answer the question, “What is reasonable security?”

State cybersecurity laws

The first place to look to understand statutory or regulatory requirements is the language of the statute or regulation itself. Some states, like New York and Massachusetts, provide illustrative, non-exhaustive lists of certain administrative, technical and physical safeguards that the applicable jurisdictions consider to be part of a reasonable information security program, such as risk assessments, employee cybersecurity training and threat detection and prevention measures. Other states take a different approach; Ohio, for example, incentivizes organizations to implement written cybersecurity programs that conform to one of a number of specified, industry-recognized cybersecurity frameworks, such as NIST, CIS and ISO frameworks. Organizations attempting to understand their cybersecurity obligations should begin by identifying the applicable specific state laws and familiarizing themselves with the requirements of those laws.

Regulatory guidance

Certain regulators and state attorneys general have published data security guides for businesses, providing some insight into the regulators’ expectations. In April 2023, the New York attorney general’s office published a report titled, “Protecting consumers’ personal information: Tips for businesses to keep data safe and secure.” The report identifies a number of data security measures that the office views as the “minimum” measures businesses must implement to secure personal information. Specifically, the report encourages businesses to:

• Maintain controls for secure authentication, such as multifactor authentication and password complexity requirements.
• Encrypt sensitive customer information.
• Ensure service providers use reasonable security measures.
• Know where they keep consumer information (by maintaining an asset inventory).
• Guard against data leakage in web applications.
• Protect customer accounts involved in data security incidents (by, for example, notifying customers and resetting their passwords).
• Delete or disable unnecessary accounts.
• Guard against automated attacks.
• Provide clear and accurate notice to consumers.

Similarly, in October 2023, the FTC published, “Start with Security: A Guide for Business,” which built upon its 2016 publication, “Protecting Personal Information: A Guide for Business.” In “Start with Security,” the FTC offers a number of security recommendations for business based on its observations from more than 80 FTC law enforcement actions. Several of the recommendations are also found in the New York attorney general’s guide, such as having security authentication controls, encryption and vendor management programs, but the FTC’s publication goes further and recommends, among other things, that businesses employ security measures like network segmentation, endpoint detection and response tools, vulnerability assessments and penetration tests, along with a number of additional administrative, technical, and physical safeguards.

Data Privacy

The Digital Playground: Children’s Online Safety & Privacy Compliance

by Ryan Smyth, Marygrace Jay and Michael Spadea

December 17, 2024

Laws increasingly call on companies to specially protect kids’ data

Read moreDetails

Consent orders & AVCs

Regulators’ guides aggregate their findings and recommendations from the enforcement actions they’ve brought, but companies interested in developing a more detailed understanding of the regulators’ expectations can go straight to the source — the consent orders and AVCs that the regulators have secured through those enforcement actions.

The FTC has the authority to investigate and take enforcement action against possible violations of the FTC Act (1914), which protects consumers from unfair or deceptive practices in or affecting commerce. In the context of cybersecurity, the FTC Act is used to regulate privacy and security-related activity, such as a misleading privacy notice that could be interpreted as deceptive, often following a cybersecurity incident or data breach.

Should the FTC bring a complaint against an organization, it can result in either an informal resolution, where the organization agrees to modify business practices without formal enforcement action, or a consent order, a formal agreement between the FTC and an organization requiring the modification of business practices. Failure to comply with a consent order may result in further fines, costly litigation or more severe enforcement actions. Consent orders are typically provisioned for 20 years, requiring a third-party auditor to regularly assess if specifically outlined security improvements are being implemented and maintained.

AVCs are statutorily permitted remedies available to state regulators to resolve alleged violations of state data security laws, unfair and deceptive trade practices laws and other consumer protection laws. They involve a voluntary promise by the organization entering into the AVC to take specific actions, such as implementing a written information security program consisting of specified elements and making a monetary payment to the state. Violations of an AVC may result in a state regulator bringing an enforcement action against the organization, and the AVC may be used as evidence in such an action.

What do consent orders and AVCs typically include?

Consent orders and AVCs prescribe specific security measures that the FTC and state attorneys general require organizations to implement. While some of the terms might be tailored to the specific incident at issue, there are certain terms that appear time and again in these agreements and represent the core components of what the attorneys general consider to be reasonable data security. Specifically, they require organizations to:

• Implement, maintain and revise a written comprehensive information security program containing administrative, technical and physical safeguards appropriate to the size and complexity of the company’s operations, the nature and scope of its operations and the sensitivity of its personal information.
• Designate a specific executive or officer with the appropriate credentials, background, experience and expertise to oversee the information security program.
• Have that individual report to the chief executive officer and board of directors on a periodic basis about the information security program and report data security incidents to them within a specified period of time (i.e., 48 hours).
• Provide sufficient resources and support to allow the information security program to function as intended.
• Maintain a written incident response plan, test the plan annually and revise it as necessary to adapt to any material changes that affect the security of personal information.
• Conduct annual risk assessments using a recognized method and use them to inform and evaluate the efficacy of the information security program.
• Provide security awareness training and privacy training to personnel whose job involves access to or responsibility for personal information.
• Conduct annual penetration tests and use findings from those tests to identify, assess and remediate security vulnerabilities.
• Implement, maintain and revise a vendor management program consisting of policies and procedures for overseeing vendors that addresses due diligence requirements for evaluating vendors, data security requirements for vendor contracts and processes to oversee vendors during the life of the engagement and an enhanced process for “significant” vendors.
• Implement and maintain policies and procedures for secure data retention and deletion.
• Implement specific technical safeguards, including implementing and maintaining, among other things, an asset inventory, logging and monitoring, endpoint detection and response, data loss prevention, password management and network segmentation.
• Submit a report within 30 days of an organization’s discovery of a “covered incident,” and subsequently update it every 30 days until the incident is fully investigated and any remediation efforts are fully implemented.

The duration of the requirements of the obligations under the consent orders and AVCs can vary, but it is common for FTC consent orders to remain effective for a period of 20 years.

Leveraging this information to define ‘reasonable security’

There is no static list of security measures that organizations should have in place. Cybersecurity threats and defenses constantly evolve, and organizations should not view the specific safeguards outlined in the guides, consent orders and AVCs discussed above as “check-the-box” requirements that, if implemented, will ensure a regulator will find that they have taken reasonable steps to protect personal information.

Instead, organizations should create written information security programs that are based on periodic risk assessments, employ controls based on those risk assessments and evolve with changes to the organizations’ risk profiles and the cybersecurity landscape. In designing these programs, organizations can use the resources described as helpful reference points for their efforts to achieve compliance with data security laws and maintain reasonable security. Consent orders and many AVCs are publicly available and can be used to gain a better understanding of what is expected regarding cybersecurity best practices. The requirements outlined in the consent orders and AVCs serve as unofficial policy, setting expectations for not only the organization under the order, but other organizations that fall under the regulators’ jurisdiction.

Meeting & exceeding minimum standards

Once organizations are aware of the expectations outlined by consent orders and AVCs, they can assess if their own data policies and procedures are in alignment with the standards and implement changes as needed. Organizations can start this process with:

• Risk assessments: Conduct a thorough risk assessment to understand the risks presented by the company’s network, vendors and data privacy practices.
• Risk-based security programs: Develop a risk-based security program that focuses on protecting against the most likely threats to the organization, with a clear link from risks identified during the assessment to safeguards that mitigate those risks.
• Training: Conduct a tabletop exercise that presents the organization with a fact pattern of a data security incident tailored to the organization’s operations and tests how the organization would respond, both from an incident response and a business continuity perspective.
• Security assessments/mock audits: Conduct a security assessment to measure the organization’s maturity using a recognized industry framework, and then use the findings from the assessment to evaluate the organization’s compliance with applicable data security laws and regulators’ expectations as to what constitutes “reasonable security.”
• Incident response plans: Develop or review your incident response plan to ensure that it reflects the most recent developments in the threat and regulatory landscapes.
• Vendor risk management programs: Develop a vendor risk management program that establishes policies and procedures for assessing and managing vendor risk.

Taking these steps will not only help organizations defend the position that they maintained “reasonable security” if and when the need arises but also will help organizations enhance their cybersecurity practices and reduce the risk of a significant cybersecurity incident occurring in the first place.