July 22, 2019
tl;dr For security teams, it's not just about the money.
Right on the heels of Facebook's reported $5 billion fine stemming from privacy program lapses, today the FTC delivered a substantial settlement and proposed fine in the Equifax data breach case.
Today's settlement relates to the 2017 data breach that impacted over 140 million people. Most of the news is about the dollar amount of the fine and recourse available for individuals impacted by the breach (details on that here).
What caught my eye about the proposed order and settlement is the length and detail that the FTC goes into with regard to the security program Equifax will now have to put into place.
I recently wrote about the FTC applying guidance on compliance programs to security and privacy, and this is another, more comprehensive, example.
The FTC has been vocal about upping their game when it comes to privacy and security program requirements in enforcement cases.
In this proposed order, the FTC details both security program requirements (e.g. role-based access control) and specific actions (e.g. create an asset inventory).
Security teams should be paying attention to the bar being set by the FTC.
Let’s take a look at the federal “elements” of an effective compliance program compared to Equifax’s mandated information security program [read my previous article for more information about this federal guidance].
Federal "elements" vs. Equifax Security Program Requirements:
The FTC makes a strong statement in the proposed Equifax settlement about their expectations for security programs, and it's likely that we will continue to see these specific requirements in future enforcement cases.
Security leaders at companies large and small should be paying attention so that we can be proactive when it comes to program building or improvement.
This article is part of a series I'm writing about trends in privacy and security enforcement cases as they relate to program structure and effectiveness. Find Part 1 here. Thanks for reading!
Follow me on Twitter @ldhawke