The U.S. Appellate Court agreed with LabMD that an order by the Federal Trade Commission (FTC) for them to “establish a comprehensive information security program” was too vague, leading to changes in the way the FTC handles penalties after conducting audits to confirm that organizations who are collecting data are also taking steps to protect it.
The new safeguards being required by the FTC include:
- Independent third-party audits to confirm that cybersecurity controls are implemented and maintained
- Data encryption for sensitive data
- Ongoing vulnerability testing
- Programs to ensure that patching of vulnerabilities is being done
- Cyber awareness training for staff
Organizations that collect data online, even if only for marketing purposes, would be well-served to proactively align with either the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) if U.S. only, or to consider using International Organization for Standardization’s (ISO) framework for locations outside of U.S. Alignment with either of these recognized standards has been found to be “reasonable” and “comprehensive” in past cases.