FTC explains 'reasonable' cybersecurity

Federal Trade Commission headquarters in Washington, D.C.

Federal Trade Commission headquarters in Washington, D.C. Bill O'Leary/The Washington Post via Getty Images

From risk-based management to staying up-to-date about known vulnerabilities and their patches, the Federal Trade Commission is detailing key steps companies can take to avoid getting hit with a data security complaint.

The Federal Trade Commission expects companies to have “reasonable patching procedures in place” to identify and mitigate known vulnerabilities, a senior attorney for the FTC's Division of Privacy and Identity Protection said on Thursday at a meeting of the Information Security and Privacy Advisory Board. 

James Trilling, who in part works on enforcement actions involving information security and privacy, outlined specific steps the commission expects organizations to take to protect consumer data from foreseeable risks – and to avoid getting hit with a data security complaint, which cost Equifax $575 million as part of a settlement agreement with the FTC.

The FTC wants companies to include risk-based management processes and evaluations throughout their operations, as well as implement regular training actions around threat detection and mitigation. 

The commission has published a series of publicly available guidelines and recommendations for the private sector around patching vulnerabilities, warning companies to remediate the Log4j security threat in early January and even providing a step-by-step response for dealing with a data breach.

“Step one in terms of reasonableness would be having practices in place to know whether the particular vulnerabilities are within one’s infrastructure,” Trillings said on Thursday at the ISPAB meeting, noting that follow-up steps should include evaluating the feasibility of implementing timely patches within particular environments. 

Trilling also said the FTC may also take action against a company “for not availing themselves of information … about the serious nature of a vulnerability and how to mitigate it.”

“Any reasonableness inquiry is going to be fact specific,” he added. “What’s going to be reasonable is going to vary organization-to-organization somewhat dependent on what the nature of the data is that could be put at risk, what the size and complexity of the particular business and its data operations look like, as well as what information is out there to help identify particular vulnerabilities and what tools are out there to mitigate them.”