“The Federal Trade Commission: A Powerful Watchdog”
Does The US Have Federal Cybersecurity Laws That Apply Generally?
Well, yes actually….but it's not that clear what they all are.
The Federal Trade Commission (FTC) has broad authority to regulate American cybersecurity, but unlike the EU’s GDPR there is no written statute for implementing reasonable cybersecurity controls. The FTC uses its discretion to bring enforcement actions as it sees fit and the resulting case law of those actions are the guidance American firms must use to implement their cybersecurity system.
Believe it or not, the FTC claims its authority from the below law:
Section 5(a) of the FTC Act provides that “unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful.”
It’s a bit convoluted, but essentially they are saying that not having adequate security measures in place constitutes an unfair or deceptive practice.
What does the FTC require in a nutshell?
Essentially, just an information security management program that reasonably protects data.
The more sensitive the data, the more stringent the safeguards have to be.
The bigger the company the more safeguards it is expected to enact.
The more cybersecurity promises a company makes, the more promises it must keep.
As with all case law, the FTC law is ever evolving, and as technology becomes more sophisticated the requirements to protect data also become more sophisticated.
How can I make sure my company is in compliance?
Select a good, industry respected cybersecurity standard and effect it in your business to the greatest extent your budget allows. I personally recommend either ISO 27001:2013, NIST, or HiTRUST if you are in the healthcare sector. Afterward, make sure that you increase the strength of your cybersecurity management system on an ongoing basis.
Digital Edge offers several reasonably priced cybersecurity packages to choose from and will provide you with white glove service in its implementation and upkeep.
Finally, you should check out the FTC website at https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/privacy-security-enforcement. It provides recent cybersecurity cases and blog posts to keep you abreast of the latest happenings at the FTC. It’s a great starting point for anyone interested.