The Federal Trade Commission’s standard for data security practices is “reasonableness.” But what does that really mean in practice, ask Philip Gordon and Zoe Argento of Littler Mendelson. It’s a question of importance to in-house counsel for many reasons, including employment matters and protecting personal information. But “the challenge for employers, like that for businesses responsible for safeguarding customers’ data, is how to translate 'reasonable' security requirements into actual practices,” note the authors.
The FTC was recently asked to testify as to the standards it uses to assess what is “reasonable,” but Gordon and Argento said Bureau of Consumer Protection Deputy Director Daniel Kaufman “sidestepped questions about specific data security practices that would fail the reasonableness standard” and, instead, pointed to FTC consent orders and guidance brochures, emphasizing that it’s a case-by-case analysis.
However, the authors have compiled a checklist for employers using the information mentioned by Kaufman, which highlights actions to be taken to secure access controls, minimize data, train employees and vendors, destroy documents adequately and safeguard networks. To reduce the enforcement risk by the FTC, Gordon and Argento suggest establishing an information security program following these standards and implementing it throughout the organization. Seems “reasonable" enough.
No comments:
Post a Comment