FTC Official Says Companies Must Establish ‘Reasonable’ Cybersecurity to Avoid Legal Action

A ranking Federal Trade Commission official said that companies are expected to have “reasonable” cybersecurity mechanisms in place to quickly spot and fend off attackers who may try to exploit known vulnerabilities. James Trilling, a senior attorney for the commission’s Division of Privacy and Identity Protection, issued this statement following a steep fine imposed on credit reporting company Equifax over its failure to take adequate steps to secure its network, FCW reported Friday.

During an Information Security and Privacy Advisory Board meeting, Trilling said the FTC wants businesses to include risk-based management processes and evaluations throughout their operations, as well as implement regular training actions around threat detection and mitigation. He stressed that companies should strive to protect consumer data from foreseeable risks to avoid actions like the one taken against Equifax.

The official said that the first step to having a reasonable level of protection is making the effort to find out if there are stand-out vulnerabilities within an organization’s data infrastructure. He added that if any particular weaknesses are found, then it is each company’s responsibility to ensure that they are adequately patched.

Trilling said that the FTC may also take action against a firm when it becomes apparent that it did not make the effort to avail itself of information about serious vulnerabilities and ways by which they could be mitigated. He emphasized that what can be considered a “reasonable” amount of cybersecurity measures may vary from firm to firm.

In July 2019, Equifax agreed to pay at least $575 million as part of a settlement with the U.S. government over allegations that it failed to take reasonable steps to secure its network, which led to a data breach in 2017 that affected approximately 147 million people, the FTC said on its website.