News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | The evolution of the 'reasonable security' standard in the US context Related reading: Keeping the fires burning for federal privacy legislation

rss_feed

A company with unreasonable security measures may capture the attention of the U.S. Federal Trade Commission. Unreasonable security measures can subject a company to FTC fines and, even more importantly, place it at risk of a data breach.

For both of these reasons, a company must take care to ensure the security measures it implements are reasonable. But the FTC does not provide a definition of “reasonable security.” Instead, companies typically piece together their own definitions based on industry norms and standards and by determining what the FTC has found to be unreasonable in the past using FTC complaints as a guide. IAPP Senior Westin Research Fellow Müge Fazlıoğlu, CIPP/E, CIPP/US, offered some insight into the definition by looking at all complaints between August 2015 and May 2018.

However, even after looking at FTC complaints, there can still be uncertainty around what “reasonable security” means.

There were even more open questions after the 11th Circuit Court decision in LabMD, Inc. v. Federal Trade Commission. As a quick refresher, a judge initially dismissed the FTC’s complaint against LabMD, a clinical testing laboratory, which allegedly failed to provide reasonable and appropriate safeguards against unauthorized access to consumers’ personal information. The judge wrote that, at best, the complaint proved the “possibility,” not the “probability or likelihood” of harm. In July 2016, the FTC overturned the judge’s ruling. On appeal, the 11th Circuit found the FTC’s order to lack “specificity” and thus to be “unenforceable,” arguing it would have put the district court “in the position of managing LabMD’s business in accordance with the commission’s wishes.” The FTC’s order stated that LabMD’s security practices were unreasonable and ordered LabMD to “put reasonable security systems in place,” without specifying what reasonable security entailed.

The FTC has since taken action to provide greater clarity around the notion of reasonable security.

In a recent webinar on "FTC Enforcement Lessons in Privacy and Security," Linda Holleran Kopp, an attorney in the FTC’s Division of Privacy and Identity Protection, outlined three key changes the FTC has made to data security orders. First, while orders still require a comprehensive data security program, the language is more specific and includes specific safeguards to address problems alleged in the complaint. The specific safeguards mandated in the orders, including annual training, access controls, monitoring for security incidents and others, offer organizations a window into FTC expectations.

Second, the orders elevate data security issues to the C-suite and board level. This too provides organizations a sense of what the FTC considers to be a robust security governance structure.

Third, new data security orders have increased accountability for third-party assessors. The orders require assessors to review the substantive protections in the organization’s security program rather than merely looking at management protocols, among other requirements. Here organizations can find lessons about what the FTC considers a reasonable security audit. These changes are evident in the June 2019 DealerBuilt settlement. States too have taken action, complementing FTC efforts by drafting laws that further delineate reasonable security.

Calif.’s Reasonable Security Law

On Jan. 1, the same day as the California Consumer Privacy Act, another privacy law went into effect in California. Senate Bill 327 Security of Connected Devices requires manufacturers of connected devices to equip the device with reasonable security features that are (1) “[a]ppropriate to the nature and function of the device”; (2) “[a]ppropriate to the information the device may collect, contain, or transmit”; and (3) “[d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure.”

SB 327 defines “manufacturer” as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” It defines “connected device” as “any device or other physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an internet protocol address or Bluetooth address.”

In addition to the three criteria of appropriate for the device, appropriate for the information, and designed to protect the device and information, SB 327 gives some clarity to what is considered a reasonable security feature. If a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature if a preprogrammed password is unique to each device manufactured or the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

Ore.’s Reasonable Security Law

While California was the first state to enact an internet-of-things law in 2018, Oregon followed closely behind in enacting House Bill 2395. Oregon’s IoT law also went into effect Jan. 1. Oregon’s law closely resembles California’s SB 327. “Manufacturer” is defined as “a person that makes a connect device and sells or offers to sell the connected device in [Oregon].” Oregon’s law also states that a reasonable security feature may consist of a means for authentication from outside a local area network, including either a preprogrammed password that is unique for each connected device or a requirement that a user generates a new means of authentication before gaining access to the connected device for the first time.

N.Y.s SHIELD Act

New York’s Stop Hacks and Improve Electronic Data Security Act went into effect March 21. In addition to other important changes, which this IAPP article highlights, the SHIELD Act requires businesses that own or license New York residents’ private information to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”

The SHIELD Act outlines elements of reasonable safeguards in each of the three categories (administrative, technical, physical). Reasonable administrative safeguards include training and managing employees in security program practices and procedures. Reasonable technical safeguards can include assessing risks in information processing, transmission and storage. Reasonable physical safeguards can include disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

Additionally, a business is also deemed to be in compliance with the SHIELD Act’s data security requirements if it is already in compliance with security regulations under Title V of the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health Act, or other New York or federal data security rules or regulations.

Comparing the Calif., Ore. and N.Y. laws

California’s and Oregon’s reasonable security laws are principally similar. Both are short, to-the-point laws approaching reasonable security from an IoT context. Where Oregon’s law differs from California is in the definition of “connected device.” Oregon defines connected device as “any device or physical object that connects directly or indirectly to the internet and is used primarily for personal, family or household purposes.” The addition of personal purposes limits the scope of the law, whereas California’s law applies to any connected device.

While the California and Oregon laws are focused on connected devices and IoT, New York's SHIELD Act takes an expansive view of reasonable security. Accompanying this expansive view is an expansive list of specific safeguards for a reasonable security program. This list covers administrative, technical and physical safeguards. California and Oregon only give two specific technical safeguards as options. But if a company chooses one of the two options, then it is deemed a reasonable security feature. The SHIELD Act’s language qualifies its list of options with the words “such as” rather than an either-or choice, like California and Oregon. A company could choose any number of safeguards presented in New York's SHIELD Act.

A step toward clarity

While some have said the California and Oregon laws do not go far enough, both laws add to the discussion on what reasonable security means. New York's SHIELD Act includes several examples of reasonable safeguards within each of the administrative, technical and physical security categories. All three states give clarity to what these states are looking for in deeming a program reasonably secure.

These laws highlight a trend in states requiring specific data security protections. Collectively, the laws add shape to the elusive meaning of “reasonable security.” Combined with the FTC’s recent efforts to add specificity, companies have increasing resources in defining reasonable security and implementing their data security programs.

Photo by ipse dixit on Unsplash

Author
Headshot Bailey Sanchez IAPP Member Contributor
Tags
U.S.
Enforcement
FTC
Privacy Law
Westin Research Center
3 Comments

If you want to comment on this post, you need to login.

  • comment William Kellermann • Jun 4, 2020 
    In California's February, 2016 Data Breach Report, then Attorney General Kamela Harris recommended:  "The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
 
Thus the CSC 20 is the minimum standard to meet for any business who collects personal information of California Consumers.
  • comment Tricia Wood • Jun 4, 2020 
    Great summary.  Would be incredibly helpful if it also included a document that summarizes the specific security controls suggested from the FTC and the states which could serve as a checklist/discussion tool with security teams.
  • comment Saundra Kae Rubel • Jun 5, 2020 
    @William Kellerman, I remember, I was there.  @Tricia Wood, yes, yes that would have been additionally helpful [connecting with you offline on LI.]
Related Stories
Are COPPA safe harbor programs getting the job done?
The U.S. Federal Trade Commission last week announced its settlement with a gaming app developer over its false claim of membership in a Children’s Online Privacy Protection Act safe harbor program, and alongside the announcement, a Democratic commissioner has called for a revamp of self-regulatory ...
Read More queue Save This
Related Stories
Tags
U.S.
Enforcement
FTC
Privacy Law
Westin Research Center
Recent Comments