Perhaps by coincidence or perhaps by design, the FTC announced two enforcement actions based on sloppy security, during Cybersecurity Awareness month (i.e., October), 2022. We reported on the action against Drizly earlier. The most recent action was levied against Chegg, a provider of education technology. Chegg's lack of a reasonable security program resulted in four (4) breaches over roughly the same number of years, three of which occurred by phishing attacks targeting access to employee data and fourth being caused by a former contractor's continued access
The takeaway from the Chegg order is that the FTC is ordering companies to take actions that are now and/or soon will be required by the five (5) state consumer data privacy laws that are pending effect including: i) giving notice of what information will be collected, why it's being collected and for how long it will be collected; ii) collecting less data, if it isn't necessary, iii) eliminating data when it's no longer needed and, iv) giving consumers access to their data and the right to deletion.
Furthermore, the FTC is focusing on prescriptive measures that will lead to a reasonable security including i) employee training, ii) requiring muti-factor authentication and iii) developing a comprehensive information security program. Just as the FTC's actions are mirroring state law, it is likely that state regulators will look to the FTC for insight as to what constitutes "reasonable security."
Our privacy and cybersecurity team at Michael Best are tracking actions taken by both federal and state regulators and are available to assist with your questions and efforts to establish an adequate and sustainable security program.