A company with unreasonable security measures may capture the attention of the U.S. Federal Trade Commission. Unreasonable security measures can subject a company to FTC fines and, even more importantly, place it at risk of a data breach.
For both of these reasons, a company must take care to ensure the security measures it implements are reasonable. But the FTC does not provide a definition of “reasonable security.” Instead, companies typically piece together their own definitions based on industry norms and standards and by determining what the FTC has found to be unreasonable in the past using FTC complaints as a guide. IAPP Senior Westin Research Fellow Müge Fazlıoğlu, CIPP/E, CIPP/US, offered some insight into the definition by looking at all complaints between August 2015 and May 2018.
However, even after looking at FTC complaints, there can still be uncertainty around what “reasonable security” means.
There were even more open questions after the 11th Circuit Court decision in LabMD, Inc. v. Federal Trade Commission. As a quick refresher, a judge initially dismissed the FTC’s complaint against LabMD, a clinical testing laboratory, which allegedly failed to provide reasonable and appropriate safeguards against unauthorized access to consumers’ personal information. The judge wrote that, at best, the complaint proved the “possibility,” not the “probability or likelihood” of harm. In July 2016, the FTC overturned the judge’s ruling. On appeal, the 11th Circuit found the FTC’s order to lack “specificity” and thus to be “unenforceable,” arguing it would have put the district court “in the position of managing LabMD’s business in accordance with the commission’s wishes.” The FTC’s order stated that LabMD’s security practices were unreasonable and ordered LabMD to “put reasonable security systems in place,” without specifying what reasonable security entailed.
The FTC has since taken action to provide greater clarity around the notion of reasonable security.
In a recent webinar on "FTC Enforcement Lessons in Privacy and Security," Linda Holleran Kopp, an attorney in the FTC’s Division of Privacy and Identity Protection, outlined three key changes the FTC has made to data security orders. First, while orders still require a comprehensive data security program, the language is more specific and includes specific safeguards to address problems alleged in the complaint. The specific safeguards mandated in the orders, including annual training, access controls, monitoring for security incidents and others, offer organizations a window into FTC expectations.
Second, the orders elevate data security issues to the C-suite and board level. This too provides organizations a sense of what the FTC considers to be a robust security governance structure.
Third, new data security orders have increased accountability for third-party assessors. The orders require assessors to review the substantive protections in the organization’s security program rather than merely looking at management protocols, among other requirements. Here organizations can find lessons about what the FTC considers a reasonable security audit. These changes are evident in the June 2019 DealerBuilt settlement. States too have taken action, complementing FTC efforts by drafting laws that further delineate reasonable security.
Calif.’s Reasonable Security Law
On Jan. 1, the same day as the California Consumer Privacy Act, another privacy law went into effect in California. Senate Bill 327 Security of Connected Devices requires manufacturers of connected devices to equip the device with reasonable security features that are (1) “[a]ppropriate to the nature and function of the device”; (2) “[a]ppropriate to the information the device may collect, contain, or transmit”; and (3) “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”
SB 327 defines “manufacturer” as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” It defines “connected device” as “any device or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.”
In addition to the three criteria of appropriate for the device, appropriate for the information, and designed to protect the device and information, SB 327 gives some clarity to what is considered a reasonable security feature. If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature if a preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
Ore.’s Reasonable Security Law
While California was the first state to enact an internet-of-things law in 2018, Oregon followed closely behind in enacting House Bill 2395. Oregon’s IoT law also went into effect Jan. 1. Oregon’s law closely resembles California’s SB 327. “Manufacturer” is defined as “a person that makes a connect device and sells or offers to sell the connected device in [Oregon].” Oregon’s law also states that a reasonable security feature may consist of a means for authentication from outside a local area network, including either a preprogrammed password that is unique for each connected device or a requirement that a user generates a new means of authentication before gaining access to the connected device for the first time.
N.Y.’s SHIELD Act
New York’s Stop Hacks and Improve Electronic Data Security Act went into effect March 21. In addition to other important changes, which this IAPP article highlights, the SHIELD Act requires businesses that own or license New York residents’ private information to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”
The SHIELD Act outlines elements of reasonable safeguards in each of the three categories (administrative, technical, physical). Reasonable administrative safeguards include training and managing employees in security program practices and procedures. Reasonable technical safeguards can include assessing risks in information processing, transmission and storage. Reasonable physical safeguards can include disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.
Additionally, a business is also deemed to be in compliance with the SHIELD Act’s data security requirements if it is already in compliance with security regulations under Title V of the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health Act, or other New York or federal data security rules or regulations.
Comparing the Calif., Ore. and N.Y. laws
California’s and Oregon’s reasonable security laws are principally similar. Both are short, to-the-point laws approaching reasonable security from an IoT context. Where Oregon’s law differs from California is in the definition of “connected device.” Oregon defines connected device as “any device or physical object that connects directly or indirectly to the internet and is used primarily for personal, family or household purposes.” The addition of personal purposes limits the scope of the law, whereas California’s law applies to any connected device.
While the California and Oregon laws are focused on connected devices and IoT, New York's SHIELD Act takes an expansive view of reasonable security. Accompanying this expansive view is an expansive list of specific safeguards for a reasonable security program. This list covers administrative, technical and physical safeguards. California and Oregon only give two specific technical safeguards as options. But if a company chooses one of the two options, then it is deemed a reasonable security feature. The SHIELD Act’s language qualifies its list of options with the words “such as” rather than an either-or choice, like California and Oregon. A company could choose any number of safeguards presented in New York's SHIELD Act.
A step toward clarity
While some have said the California and Oregon laws do not go far enough, both laws add to the discussion on what reasonable security means. New York's SHIELD Act includes several examples of reasonable safeguards within each of the administrative, technical and physical security categories. All three states give clarity to what these states are looking for in deeming a program reasonably secure.
These laws highlight a trend in states requiring specific data security protections. Collectively, the laws add shape to the elusive meaning of “reasonable security.” Combined with the FTC’s recent efforts to add specificity, companies have increasing resources in defining reasonable security and implementing their data security programs.
Photo by ipse dixit on Unsplash