FTC Cybersecurity Compliance, GLBA, FCRA and SEC
In the United States, the Federal Trade Commission (FTC) is a lead cybersecurity and privacy regulator
at the federal level that relentlessly brings enforcement actions for bad data protection or poor
privacy practices across the country, notably under the FTC Act, GLBA and FCRA / FACTA.
What is the Federal Trade Commission?
Established over a century ago in 1914, the Federal Trade Commission (FTC) is an independent US federal agency empowered to regulate competition and protect consumers from fraudulent or deceptive trade practices in the United States. The FTC has several bureaus, for example, the Bureau of Consumer Protection (BCP) that, among other things, regulates abusive telemarketing and robocalls.
ImmuniWeb can help you comply with the FTC Cybersecurity Regulations. Learn more
What laws and regulations does the FTC enforce?
The Commission has enforcement authority, or other responsibilities, under more than 70 federal laws, oftentimes in collaboration with other regulatory agencies, the US Department of Justice (DOJ) and state Attorneys General (AG). Currently, there is no overarching privacy and data protection law in the US, however, if one day such legislation is finally enacted, the FTC will most likely be empowered to enforce it and implement additional rules under the statute.
The FTC brought its first enforcement action involving Internet fraud in 1994, and today is de facto the main federal regulator of cybersecurity and privacy across the US. For instance, the Commission developed the HIPAA Breach Notification Rule. Other most important laws related to the digital space and enforced by the Commission are described below.
Federal Trade Commission Act (FTCA)
In 1914, the newly enacted Federal Trade Commission Act (FTCA) established the Federal Trade Commission (FTC) that, over the time, became the data security watchdog in the United States. The FTC Act was initially passed to ensure healthy competition, prevent a wide spectrum of unfair trade practices and protect American consumers from fraud. The Act generally applies to all industries and all company sizes unless regulated separately by another federal law.
The Act delegated pretty broad power to the FTC including but not limited to the following:
- Preventing unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce; and
- Seeking monetary redress and other relief for conduct injurious to consumers; and
- Prescribing trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; and
- Conducting investigations relating to the organization, business, practices, and management of entities engaged in commerce.
Today, the Commission commonly leverages Section 5(a) of the FTC Act to assert and energetically exercise its regulatory authority to police poor cybersecurity or flawed privacy practices. Section 5(a) prohibits unfair or deceptive trade practices in the marketplace whereas the FTC construes its plain language in a broad manner. In a nutshell, if a company declares, promotes or otherwise advertises strong or reasonably expected protection of customer data or privacy, and then fails to implement the requisite security controls, the company will likely violate Section 5(a) of the FTC Act and trigger Commission’s scrutiny.
According to the FTC website, it usually mandates companies to take necessary steps to remediate privacy and data security deficiencies, for instance, by implementing a comprehensive privacy and security programs, conducting regular security assessments and penetration tests by independent security vendors, and maintaining up2date data protection policies and procedures. The Commission may also undertake monetary redress to aggrieved consumers, disgorge ill-gotten gains, impose deletion of unlawfully obtained consumer information, and order implementation of transparent and fair data handling and privacy practices.
As of 2021, the Commission has brought many hundreds of enforcement cases against companies of all sizes from all industries in the US. If a company violates FTC order, the Commission may sanction disobedience by seeking monetary penalties. In the recent case against Facebook, for the alleged violation of FTC’s 2012 order, the FTC settled with Facebook for a record 5 billion USD, convincingly demonstrating that non-compliance is costly and painful.
Since the landmark “LabMD” judicial case in 2018, when the 11th Circuit Court of Appeals determined that FTC’s order to implement a “reasonable security” was overbroad, vague and thus unenforceable, the FTC enforcement orders became sufficiently detailed and more specific including such components as vendor risk management and penetration testing. For example, the recent FTC consent order with Zoom (File Number: 192 3167) contains, among other elements, the following cybersecurity provisions:
- Testing for OWASP Top 10 and publicly known (e.g. available in the National Vulnerability Database (NVD) database) web application vulnerabilities prior to deploying a web application to production.
- Testing and monitoring of the efficiency of security controls at least every 12 months that must include penetration testing from a qualified and independent third-party.
- Conducting vulnerability scans of all networks on at least quarterly basis and remediating high-risk vulnerabilities no later than 30 days after the security vulnerability is detected.
- Selecting external service providers capable to safeguard the entrusted information both from internal and external risks and threats.
Finally, the FTC also provides practical cybersecurity and privacy guides for businesses. The most impactful are “Data Breach Response: A Guide for Business”, “App Developers: Start with Security” and “Careful Connections: Keeping the Internet of Things Secure”.
Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999, GLBA is a US federal law that, among main provisions that liberalize banking and financial industry regulatory regime, mandates financial institutions to transparently disclose their information-sharing practices to individual customers and to duly protect their financial data.
Financial institutions are broadly defined under the statute and include “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.” The definition encompasses loan brokers, debt collectors and even tax return preparers.
Importantly, the data security obligations, imposed under GLBA, must also be respected by vendors and suppliers of the regulated financial institutions if they process financial data on behalf of the covered institutions.
In addition to the Privacy Rule, GLBA ensures NPI data protection by the virtue of the Safeguards Rule (16 CFR Part 314). Similarly to many other laws and regulations, the rule requires covered financial institutions and their subcontractors to develop a well-thought data protection strategy and maintain up2date information security policies and procedures. Covered entities shall regularly perform risk assessment, develop and test adequacy of security controls designed to mitigate cyber risks and digital threats. Confidentiality, integrity and availability are the main pillars of the rule. Management shall likewise designate a qualified individual to lead cybersecurity and data protection practices within the organization. Furthermore, a considerable attention is given to vetting and ongoing security training of personnel who has access to NPI. Some of the specific security recommendations, promulgated by the FTC under the Safeguards Rule, are:
- Know where sensitive customer information is stored, and store it securely.
- Take steps to ensure the secure transmission of customer information.
- Monitoring the websites of your software vendors and reading relevant industry publications for news about emerging threats and available defenses.
- Using appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.
- Considering notifying consumers, law enforcement, and/or businesses in the event of a security breach.
As briefly mentioned above, GLBA imposes obligations for third-party risk management. The law mandates covered financial institutions to take appropriate precautionary steps to engage external service providers that are capable to maintain adequate safeguards and security controls for the customer NPI entrusted to them.
ImmuniWeb can help you comply with the FTC Cybersecurity Regulations. Learn more
Fair Credit Reporting Act (FCRA) and Fair and Accurate Credit Transactions Act (FACTA)
Enacted by the Congress in 1970, the Fair Credit Reporting Act (FCRA) is one of the first federal privacy-related laws in the United States, primarily covering consumer credit reports.
Amended by the Fair and Accurate Credit Transactions Act (FACTA) in 2003, the Act provides data protection safeguards by the virtue of the Red Flags Rule, for which the FTC retains responsibility.
According to the Commission, the Red Flags Rule applies to a very broad list of businesses including financial institutions, automobile dealers, mortgage brokers, utility companies and telecom companies that have covered accounts. FACTA gives a broad interpretation to “covered accounts” that comprise credit cards, monthly utility or mobile phone bills, social security numbers, driver license numbers, medical insurance accounts – all accounts where identity theft is foreseeable.
Among other duties, the rule mandates covered entities to implement a written information security program to timely detect, prevent and mitigate identity theft in connection with the opening or maintenance of covered accounts. This includes continuous security monitoring, data breach detection, incident detection and response, antifraud and incoming complaints management processes.
In a nutshell, covered organizations must timely detect identity theft, mitigate its consequences, and provide an adequate post-incident response to prevent similar cases in the future.
Security Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC)
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 amended the above-mentioned FCRA to transfer identity theft rulemaking (the Red Flags Rule) responsibility and enforcement authority to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) with respect to the SEC- and CFTC-regulated entities.
Without entering the highly complex regulation of publicly traded companies, investment funds and other entities falling into the purview of the SEC, it is relevant to briefly analyze the non-binding “Cybersecurity and Resiliency Observations” guidance issued by the SEC’s Office of Compliance Inspections and Examinations (OCIE), now known as Division of Examinations, for practical data protection instructions. The guidelines are composed of seven interrelated sections:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Mobile Security
- Incident Response and Resiliency
- Vendor Management
- Training and Awareness
Some specific security controls and cybersecurity measures include the following:
- Maintaining an inventory of hardware and software assets, including identification of critical assets and information (i.e., know where they are located, and how they are protected).
- Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases both within the organization and applicable third-party providers.
- Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf, and other third-party software).
- Establishing a vendor management program to ensure vendors meet security requirements and that appropriate safeguards are implemented.
To stay up to date with the foregoing and other cybersecurity best practices, you may subscribe to CISA Cyber Alerts.