Corporate compliance officers grapple all the time with what their companies should do to develop effective information protection programs. Thankfully the Federal Trade Commission has given us two recent enforcement actions that we can study to answer that question.
The two cases, against an online liquor store and an online student services business, are eerily similar. Both companies allowed poor cybersecurity practices to take root in their operations and didn’t bother to implement well-known, relatively straightforward protection measures. Those lapses left the companies exposed to internal and external threats alike – and sure enough, both companies suffered painful data breaches.
The FTC then imposed consent decrees against both companies, requiring steps such as better security training, more comprehensive written policies, and more frequent risk assessments.
Taken together, the two settlements read like a set of cybersecurity best practices that the FTC (and other regulators) wants companies to adopt. And since the need for better information protection and privacy is going nowhere but up, compliance officers would do well to understand what those best practices are.
Begin with the failures
We can start with a review of what these companies didn’t do to protect the personal data in their possession. Skimming through the FTC complaints, we find failures such as:
Support the originator by clicking the read the rest link below.
