Enforcement action guidelines also outline regulator’s priorities for compliance.
1/23/2020 12:00
Accounts receivable management industry companies reviewing their data security policies and procedures can look to the Federal Trade Commission’s recently revised and improved orders issued in the event of a complaint or data security breach.
Data security legislation and regulation is also one of the state trends to follow this year, as reported in Collector magazine, and employee education on risks to watch for in the digital world is also critical.
ACA International's Certified Instructors Leslie Bender, IFCCE, CCCO, chief strategy officer and general counsel, BCA Financial Services Inc., Debra Ciskey, IFCCE, executive vice president of The Collections Coach LLC, and Kelly-Knepper Stephens, vice president of legal compliance at TrueAccord Corp., will discuss these data security compliance topics, including how the FTC, Consumer Financial Protection Bureau state regulators and lawmakers prioritize the issue, in Data Security & Privacy II, Jan. 28-29.
The FTC’s orders, used for seven various companies already in 2020, reflect changes suggested during the FTC’s Hearing on Competition and Consumer Protection in the 21st Century and data security orders in December 2018.
“Since the early 2000s, our data security orders had contained fairly standard language. For example, these orders typically required a company to implement a comprehensive information security program subject to a biennial outside assessment,” said Andrew Smith, director of the FTC Bureau of Consumer Protection, in a news release.
A June 2018 U.S. Court of Appeals for the 11th Circuit decision in LabMD vs. the Federal Trade Commission that struck down an FTC data security order as “unenforceably vague,” also influenced the revisions, according to the news release.
The FTC’s data security order improvements include:
- “First, the orders are more specific. They continue to require that the company implement a comprehensive, process-based data security program, and they require the company to implement specific safeguards to address the problems alleged in the complaint. Examples have included yearly employee training, access controls, monitoring systems for data security incidents, patch management systems, and encryption. These requirements not only make the FTC’s expectations clearer to companies, but also improve order enforceability.”
- “Second, the orders increase third-party assessor accountability. We still rely on outside assessors to review the comprehensive data security program required by the orders, and now we require even more rigor in these assessments. For example, the orders clearly and specifically require assessors to identify evidence to support their conclusions, including independent sampling, employee interviews, and document review. The assessors must retain documents related to the assessment, and cannot refuse to provide those documents to the FTC on the basis of certain privileges. When FTC staff can access working papers and other materials, they are better able to investigate compliance and enforce orders. Perhaps most importantly, our new orders give us the authority to approve and re-approve assessors every two years. If an assessor falls down on the job, we will withhold approval and force the company to hire a different assessor.”
- “Third, the orders elevate data security considerations to the C-Suite and board level. For example, every year companies must now present their board or similar governing body with their written information security program — and, notably, senior officers must now provide annual certifications of compliance to the FTC. This will force senior managers to gather detailed information about the company’s information security program, so they can personally corroborate compliance with an order’s key provisions each year. Requiring these kinds of certifications under oath has been an effective compliance mechanism under other legal regimes (e.g., securities law), and we expect it will likewise ensure better year-round governance and controls regarding FTC data security orders.”
Read more on the FTC’s revisions here and ACA member firm Mac Murray and Shuster Senior Attorney Josh Stevens also has some insights on the company’s blog.
ACA members are also invited to start the conversation on data security on The Hub, our online member community and on Facebook and Twitter @ACAIntl on Tuesday, Jan. 28, which is #DataPrivacyDay2020.
In addition to the Jan. 28-29 seminar, ACA continually offers data security and privacy education, check the online events calendar and 2020 Spring Forum & Expo agenda for opportunities. Registration savings for the Spring Forum & Expo are available until Jan. 31, 2020.