On Wednesday, January 14, 2009, the Boston Bar Association’s Privacy Law Committee hosted FTC Chief Privacy Officer Mark Groman for a brown bag lunch presentation entitled “The View from the Federal Trade Commission’s Chief Privacy Officer.” Here are a couple of highlights from the presentation:
- Mr. Groman views law firms as businesses subject to FTC Red Flags regulations (“we regulate you, too”), so law firms should be developing identity theft prevention programs to comply with the regulations by the May 1, 2009 deadline.
- To comply with FTC’s Red Flags regulations, companies need to use a “risk-based process” to evaluate potential threats and take reasonable and appropriate steps to mitigate them. Every business needs to adopt a written plan, but the FTC will not be talking to us “about particular technology” because there is a consensus that technology moves too quickly for regulators to approve or disapprove of any particular technology or counter-measures.
- The FTC has brought 23 cases relating to information security issues. If you need guidance on what security measures the FTC believes must be implemented to meet federal regulations in specific circumstance, Mr. Groman suggested that we review the decisions in those cases. In particular, Mr. Groman specifically suggested that everyone should be taking what he views as simple and inexpensive measures to protect against the SQL injection exploit, in which an individual attempts to insert computer code into a company’s database using the company’s website. (The FTC website refers to this exploit as one of many “commonly known and reasonably foreseeable attacks” that can be protected against by implementing “simple, free or low-cost, and readily available security defenses.”)
- The primary questions businesses should to be asking themselves when they are drafting an identity theft prevention program are: (1) what have you done to date to protect against existing threats?; (2) what is “the technology of the day” used to address those threats?; and (3) “how much does it cost?”
- Mr. Groman confirmed that there is no one-size-fits-all solution to adopting an identity theft prevention program, and the FTC does not have a model plan to provide affected companies. “Privacy plans are like pants; they have to be tailored.”
- The fact that there has been a data breach incident does not mean that a company’s information security program is necessarily at fault. The FTC has investigated “plenty of breaches where the [company’s] security was reasonable” and has also investigated companies that have not had any incidents where the security was insufficient.
- The FTC recognizes that businesses, lawyers and whole industries are confused by what the new Red Flags regulations require. The FTC is likely to issue additional guidance on this topic soon.