Dan Altieri is an attorney in HSE's Privacy and Data Security and Litigation practice areas. His experience includes cases involving breach of contract, privacy and data security, trade-secret protection and restrictive covenants, professional malpractice, commercial landlord/tenant lease issues, and general negligence.
In previous posts, we’ve highlighted the FTC’s broad regulation of the use, storage and protection of consumer data under Section 5(a) of the FTC Act and discussed how the FTC relies upon its authority under the Act to flex its muscles in the cybersecurity realm. The FTC’s touchstone for data protection is “reasonableness” and for guidance as to its expectations as to what is deemed reasonable, the FTC has pointed businesses to its speeches, congressional testimony, articles, blog entries, Commission materials and published settlements. It is for this reason that a blog post published last week on the FTC’s website regarding what to do if businesses are impersonated as part of a phishing scam is so interesting.
In our first post in this series, we discussed the origins of the NIST Cybersecurity Framework and gave our assessment that the Framework would serve not only as a helpful tool for companies looking for support in securing their networks, but also as a guidepost for best practices in the realm of data security. Recent guidance published by the FTC gives credence to this assessment. In a blog post made available to the public just last week (available here), the FTC discussed the Framework and noted favorably that its “functions signify the key elements of effective cybersecurity.” This post discusses the importance of the FTC’s insight and identifies the Framework’s “Core” components.
These days, news of the latest data breach - whether involving a local “mom and pop” store or a national retailer - is constantly breaking. If it seems like breaches are becoming more and more common, it’s because they are. Much more, as it turns out.