The Quest for “Reasonable Security” Part 3: Deducing Reasonable Security from Federal Regulators’ Rulemaking and Enforcement Action

Data security is often not just a legal requirement, but a critical aspect of an organization’s reputation with consumers, while also having national security implications. Many laws and regulations mandate that organizations implement “reasonable security,” a term this series has explored and surprisingly finds lacks a clear definition. The first post of this series explored how reasonable security is derived from state legislation and enforcement outcomes. The second post examined the global and federal perspective, exploring how international law, federal legislation, and past executive orders shape organizations’ pursuit of “reasonable security.” This final post will explore some federal regulators’ rulemaking and enforcement actions and how they have influenced “reasonable security.” Federal regulators continue to play a significant role in shaping this concept through rulemaking and enforcement action.

A Sample of Regulatory Rulemaking on Data Security

Federal agency rulemaking can have a significant economic impact, affecting industry innovation, job creation, and global commerce. Some question whether federal agencies overstep their statutory authority, preferring Congress to pave the way forward, especially on comprehensive data privacy and security laws. Others believe rulemaking is well within their statutory authority and an important process to fill gaps in the law. Nevertheless, even the rulemaking process, which the rules from it do not always become adopted, can provide crucial insights into the federal regulatory agencies’ enforcement agenda and perspective, potentially shaping the future of data security compliance for organizations.  

In 2022, the Federal Trade Commission (FTC) launched an expansive and ambitious advance notice of proposed rulemaking (ANPR) on commercial surveillance and data security practices that harm consumers and competition. While this ANPR process is still ongoing and has not been adopted, it is important to note that the FTC still enforces data security with the FTC Act’s Section 5, “unfair or deceptive acts or practices.” The ANPR suggested that new regulation rules could help address enforcement limitations by setting clear legal requirements, incentivizing compliance, and providing clarity and predictability in applying the FTC Act to existing and emerging data security practices. For example, the ANPR’s data security questions inquired whether encryption techniques, one of the data protection technologies discussed in this series, are necessary to achieve “reasonable security.” It also asked questions about the prescriptive data security requirements under the Gramm–Leach–Bliley Act’s Safeguards Rule. The upcoming FTC rulemaking process is an area in which every organization should actively participate to understand the FTC’s potential enforcement priorities and ensure all perspectives are considered before adopting rules, thereby playing a crucial role in shaping the future of data security regulations.

The Consumer Financial Protection Bureau (CFPB) enforces “unfair, deceptive, or abusive acts or practices” (UDAAP) in the Consumer Financial Protection Act (CFPA). The CFPB put companies under its purview on notice that if they do not implement common security standards and practices, they would lack sufficient data protection and could result in UDAAP violations. The CFPB highlighted multi-factor authorization, password management, and timely software updates as data security practices that are industry standards.

In 2023, the CFPB proposed a rule to implement personal financial data rights. The proposed rule touched on third-party data security requirements to have access to consumer financial data, including an application programming interface framework that would make it possible for financial consumers to share data with a third party without disclosing their login credentials, which creates unneeded security risks. Further, it would require third parties accessing consumer data to comply with a security program that satisfies the Gramm-Leach-Bliley Act’s Safeguards Rule.

The Securities and Exchange Commission (SEC) has been active in rulemaking ensuring that public companies adequately disclose security risks to prospective investors. In 2020, the SEC proposed amendments to the national market system plan governing the consolidated audit trail to increase data security. The amendments offered the SEC’s version of reasonable data security measures, such as an operational security plan that is updated yearly, multi-factor authentication, data access controls, encrypted internet connectivity for data transfers, and data encryption at rest.

Regulatory Enforcement Actions

The regulatory enforcement actions illuminate the “reasonable security” standard. The FTC is one of the biggest players in enforcing data security standards. Since 2000, it has brought 89 cases against businesses that violated the FTC Act for inadequate data security. These FTC enforcement actions have shaped the “reasonable security” expectations and acted as a blueprint for organizations to avoid similar failures.  

In one example, the FTC entered a consent decree with Drizly over misrepresentation and inadequate data security practices stemming from a 2020 breach in which 2.5 million customers’ information was infiltrated. FTC’s consent decree stated that Drizly failed to secure information left on a third-party platform, where bad actors could locate system vulnerabilities, infiltrate Drizly’s production environment, and access databases storing customer data. The FTC asserted that Drizly did not implement data security measures that are essential to satisfy “reasonable security,” such as developing adequate written information security standards (policies and procedures) and auditing those standards to ensure employees are following them. The FTC also pointed out issues with employee access control (complex password and multi-factor authorization requirements), and system monitoring to identify data security events. However, Drizly did encrypt the stored passwords of its customers, using message-digest 5 (MD5) hash algorithms—but the FTC noted that MD5 is “cryptographically broken,” and more secure encryption technologies exist, such as SHA-1 or SHA-2. An important takeaway here is that even a step in the right direction, such as encrypting stored passwords, might fail to meet the reasonable security requirement if stronger data security technology exists. For a smaller company that lacks resources, keeping current on consent decrees is an excellent opportunity to learn from others’ mistakes.

Reasonable Security Takeaways

While not an exhaustive list, several key practices emerged throughout this series as critical for organizations to comply with “reasonable security” standards.

1. Have a written data security policy, train employees, and audit the processes to ensure the policy is actively followed.
2. Keep employee data access controls locked down. Require employees to have complex passwords. Ensure that employees who leave the organization or are reassigned and no longer need data access have their access privileges revoked.
3. Secure sensitive data at rest and in transit, and access should be limited to employees who actually need it.
4. Offer users or customers the option to deploy multi-factor authorization passwords.
5. Continually monitor network traffic for compromising data security events.
6. Update policies, technology, and security practices as the landscape evolves.
7. Do not make false claims about data security practices.  

Attaining reasonable security is a constantly evolving challenge for organizations. As the series explored, it is influenced by various factors, including state, federal, and global laws; federal regulators; and enforcement actions. Federal regulatory agencies, especially the FTC, are crucial in shaping data security compliance. Organizations should actively engage in these processes to understand the regulators’ priorities and contribute to developing effective and reasonable data security standards. This proactive approach will allow organizations to position themselves better to avoid liability and maintain the trust of their customers in an increasingly data-driven market.