Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Dan Appelman: Reducing enforcement risks for inadequate cybersecurity protections

Target, Sony, JP Morgan Chase, Home Depot, Neiman Marcus, Anthem and others have already reported significant security breaches. So it’s not surprising that the federal government and states are becoming increasingly aware of the need for strong data protection laws and their enforcement.

The Wyndham case discussed in the prior post held that the FTC has authority to bring legal action against companies that fail to employ reasonable cybersecurity measures to protect non-public consumer data.

What does the FTC expect? Companies collecting private consumer data must employ reasonable cybersecurity policies, programs and procedures that adhere to industry standards, and that take notice of the guidance provided by the FTC in public statements and its previous consent decrees.

But what the FTC expects today may not be the same as what the FTC expects tomorrow. Technology changes. Available cybersecurity tools get better and cheaper. Societal expectations increase. So “reasonable cybersecurity measures” is a moving target. Consequently, cybersecurity policies, programs and procedures must be regularly reviewed and updated to account for changes over time in technology, company practices and legal and regulatory requirements.

That being said, companies collecting personal information from consumers can minimize the risk of an enforcement action by doing the following:

Assume that your company will be a target for hackers and plan accordingly.  Don’t wait to institute good security measures until after you are attacked.

Deploy regularly updated firewalls, antivirus, and web security solutions throughout your network.

Change passwords frequently, especially administrator passwords; and don’t allow easily guessed passwords.

Map your consumer private data so you know where it is, where it is moved, where it is backed up and archived, and what protections are in place to secure it.

Use strong encryption for protecting sensitive data, particularly personal and financial information belonging to consumers.

Limit access to only those employees who have a “need to know” and require them to change their passwords frequently. Each such employee should have his/her own user account with a unique user name and password to enhance accountability and traceability.

Back up sensitive data frequently.

Update software frequently-intruders often find and use flaws in operating systems and browsers that are subsequently fixed by the vendors in updates.

Limit administrator privileges to prevent installation of unauthorized software.

Perform background checks on employees having any access to sensitive information or data.

Develop an incident response plan with written procedures; and designate an appropriate incident response team.

Document breaches systematically and in writing when they occur.

Keep abreast of changing industry and FTC guidelines, including the guidance provided by previous FTC enforcement actions.

Determine whether outside help is needed to terminate the breach, prevent recurrence and comply with notification and other legal requirements.

Finally, remember that the FTC is not the only governmental entity charged with enforcing cybersecurity practices to protect consumer data.

California, for example, has the Information Practices Act — part of the California Civil Code. It requires businesses that own, license or maintain personal information about California residents (including consumer information) to implement and maintain reasonable security procedures and practices to protect that personal information from unauthorized access, destruction, use, modification or disclosure. See Cal. Bus. & Prof. Code §§ 17200, 17202-17206.

Violations of the Information Practices Act can be enforced through the remedies provided by California’s Unfair Competition Law.

Other states have similar laws.


Daniel Appelman is a partner in the Menlo Park-bsed law firm of Montgomery & Hansen LLP. His practice focuses on complex technology-related transactions and strategic alliances. He’s a former chair of the California Bar’s Cyberspace Law Committee, vice chair of the American Bar Association’s Privacy and Information Protection Committee,former vice chair of the California Bar’s Business Law Section, and a member of the International Bar Association’s Technology Law Committee. He holds a JD from the UCLA School of Law and a Ph.D. in telecommunications law and public policy from Temple University. He can be contacted here.

Share this post


1 Comment

  1. Thanks for this post!
    Indeed, cybercrime is a growth industry: the returns are great, and the risks are low.
    A dollar value of cybercrime includes:
    – the loss of intellectual property,
    – the theft of financial assets and sensitive business information,
    – additional costs for securing networks,
    – the cost of recovering from cyber attacks
    And also the most important one – the reputational damage.

Comments are closed for this article!