DealerBuilt: New FTC security standard (2019 version)
Key points:
The days of allowing flexibility for organizations to implement reasonable security practices may be over. The DealerBuilt settlement demonstrates the FTC is moving in the direction of providing more detailed specifications for how companies should implement information security programs both under Section 5 of the FTC Act and the FTC’s Safeguards Rule under the GLBA.
In the past, the FTC allowed companies a degree of flexibility in implementing reasonable security practices, including entering into settlements that left room for companies to develop controls and procedures tailored to their unique risks. However, the days of allowing flexibility for organizations to implement reasonable security practices may be over. The DealerBuilt settlement suggests a trend towards imposing more specific requirements. This trend is the consequence of LabMD, a 2018 case where the Eleventh Circuit found an FTC order mandating security practices unenforceable because it did not enjoin a specific act or practice.
The data security obligations imposed on DealerBuilt go further than any previous settlement, and it is likely that the FTC will seek to impose similar requirements in future settlements. The heightened standards are consistent with the FTC’s recent proposed amendments to the Safeguards Rule under…
