White Paper – Study: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

Published: October 2014

Westin Research Fellow Patricia Bailin, CIPP/US, has pieced together the most comprehensive view to date of the FTC’s reasonable data security standards.

This study suggests possible guidelines for regulatory compliance based on what the FTC has determined is inadequate in a series of enforcement actions. Importantly, instead of looking for guidance from the tersely phrased settlement orders, it parses the FTC’s complaints. By pointing out what companies did not have in their data security programs, the FTC provided a peek into what, in its opinion, these companies should have done. In doing so, the study organizes the FTC’s requirements into seven categories: Privacy, Security, Software/Product Review, Service Providers, Risk Assessment, Unauthorized Access/Disclosure and Employee Training. (October 2104)