The FTC and “Reasonable” Data Security

In a long-awaited decision this week, the U.S. Court of Appeals for the critical Third Circuit resoundingly affirmed the FTC’s authority to hold companies responsible for maintaining “reasonable data security.”  Neither the court nor the FTC, however, provided any clues about what this term means, in terms of specific guidelines.

The liability of not having FTC-compliant reasonable data security is now quite serious, for organizations ranging from global multinationals to small city governments.  As to what constitutes reasonable data security, the FTC is saying, “We’ll know it when we see it.”

Frankly, this is a fairly enlightened perspective.  There is no one-size-fits-all security armor—no one impervious standard or protocol.  Everyone is vulnerable to some degree. b ut there are many, many things you can do to make your IT systems more reasonably secure. And the FTC, despite its caginess, knows what these steps are.

So, you and your organization need to begin moving toward cyber security best practices, aggressively, in ways that show you are at least fighting the good fight.

We advise starting with a review of the SANS Top 20 Security Controls.  Your organization almost certainly will not have all of them implemented, but together they make a great stretch goal.  Adding one new SANS Top 20 control across your environment every six months would be a reasonable goal—and evidence of your commitment to reasonable data security.

Here’s an even easier, less expensive, step: Subscribe to Swan Island Networks’ Elite Service, Reasonable Data Security.  This new SaaS service provides alerts and dashboards designed to help you determine what reasonable data security is, in the real world, today.  The very fact that you subscribe to it is proof you are moving your company in the right direction.

Bottom line: this week, the game changed.  Every organization in the U.S. is now responsible for running IT systems that are “reasonably secure.”  No official body is prepared to say specifically what this means, but the clear message is: continue to upgrade your data protection and prove to us that you are making a real, conscientious effort.

Swan Island Networks can help.