Skip to main content
Top Button

FTC Order recognizes certain security certifications qualify professionals to perform data security

January 19, 2017
FTC Order recognizes certain security certifications qualify professionals to perform data security assessments

The Federal Trade Commission (FTC) announced a settlement with the operators of, resolving FTC and state charges of consumer deception and failure to safeguard 36 million users' account and profile information stemming from a data breach in July of 2015.  In the complaint, the FTC alleged that defendants engaged in practices that, when taken together, "failed to provide reasonable security to prevent unauthorized access to personal information on their network."

To settle the FTC and state actions, the defendants were ordered to pay $1.6 million in monetary relief to the federal government, various states, and the District of Columbia.  The settlement also required the defendants to implement a comprehensive data-security program to appropriately safeguard the security, confidentiality, and integrity of personal information collected from or about U.S. consumers.  In accordance with the settlement, at a minimum, the defendants must implement an information security program and risk management plan, perform risk assessments, and assess the sufficiency of security measures, as well as perform regular evaluations to determine any adjustments to improve the effectiveness of the information security program.

Additionally, the defendants must obtain initial and biennial assessments (continuing for 20 years) of their mandated security program. The assessments must be performed by a "qualified, objective, independent third party professional, who uses procedures and standards generally accepted by the profession." The assessor must be an individual qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); an individual holding Global Information Assurance Certification (GIAC) from the SANS Institute; or a qualified individual or entity approved by the Associate Director for Enforcement, Bureau of Consumer Protection, FTC.

Click here for further information and analysis on the case.

For more information on data security, contact any member of our Data Security and Privacy team.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 


View Full Site View Mobile Optimized