The Federal Trade Commission ("FTC") recently settled charges that a company's security practices unfairly exposed the payment card information of hundreds of thousands of companies' consumers to hackers in three separate data breaches. The settlement resolved a case brought by the FTC under Section 5 of the FTC Act, alleging that the data security practices in place at the company and its franchisee hotels were "unfair" and that the company's privacy policy statements regarding those practices were "deceptive." While data breaches themselves have become commonplace, this settlement provides valuable insight into what the FTC might consider as demonstrating adequate data security practices. Companies seeking to comply with the FTC's regulation of data security now have additional guidance, building upon the principles set forth in the FTC's June 2015 publication, Start with Security: A Guide for Business.

Comprehensive Information Security Program. To begin, a company should adopt a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of data. As part of this program, employees must be specifically identified to coordinate and be accountable for the program. Companies should consider establishing an Information Security Office ("ISO") that is primarily responsible for the operation, implementation, and functioning of the information security program.

Risk Assessments. The program should also implement risk assessments that evaluate and assess the company's risks in four key areas: 1) employee training and management; 2) information systems architecture, including storage, processing, transmission, and disposal of data; 3) risks from operation partners (e.g. vendors); 4) and, prevention, detection, and response to threats and systems failures. The risk assessment must then be followed by the design and implementation of safeguards to help address the identified risks.

Third-Party Safeguards. The settlement also suggests an onus on companies working with third-party service providers, to ensure that the third-party service providers have appropriate data security safeguards as well. Companies should perform the due diligence when assessing third-party partnership and must subsequently contract for adequate safeguards when working with third-parties.

Independent Audits. Companies should also consider annual audits by an independent auditor to certify that its information security program conforms to industry standards. For example, a retailer must conform to the Payment Card Industry Data Security Standard ("PCI-DSS"). A proper audit requires a qualified information security professional who is objective and independent, and uses generally accepted procedures and standards.

Compliance Program. Lastly, companies should also consider implementing a compliance program that ensures that the company, as well as any third-party vendors, affiliates, or other partners, are adhering to the information security program. The compliance program should ensure that the company maintains its security certifications (e.g. PCI-DSS) and undertakes all other applicable information security procedures.

While the applicability of the settlement provisions will depend on a variety of factors, companies subject to FTC jurisdiction should use this settlement as guidance to evaluate the gaps in their own data security and privacy postures. The settlement underscores many industry best practices that companies should consider in designing their own data security policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.