Keywords
FTC, FTC Data, Data, Data Security, Jeff Kosseff, Ellis Fenske, Christopher Brown, Daniel Roche
Abstract
Over the past two decades, the Federal Trade Commission has brought dozens of enforcement actions against companies for failing to adequately secure customers’ personal information. The actions typically result in a consent decree, in which the company agrees to improve its data security practices and provide the FTC with oversight of those improvements. When the FTC first brought data security cases, its orders generally required the companies to adopt “reasonable” data security programs. But a 2018 Eleventh Circuit opinion, LabMD v. FTC, requires the orders to contain far more specific data security requirements. In this Article, we conduct an in-depth analysis of eighteen post-LabMD data security cases, with the goal of providing guidance to developers and users of software systems. Our analysis concludes that the FTC’s recent data security cases tailor the consent order requirements to the specific failures that led to the complaint. From these observations and implications, we derive lessons for software developers and users. Among the key lessons derived from the analysis of FTC cases: (1) software should limit access based on employee function; (2) organizations should encrypt data at rest; (3) software should focus on monitoring and logging anomalous activity; (4) organizations should restrict inbound network connections based on IP addresses; (5) organizations should emphasize process and people over specific technologies; and (6) software should enable layered protections that provide defense in depth.
Recommended Citation
Jeff Kosseff, Ellis Fenske, Christopher Brown, and Daniel S. Roche,
How FTC Data Security Cases Inform the Development of Legally Accountable Software,
36 Fordham Intell. Prop. Media & Ent. L.J. 1
(2025).
Available at: https://ir.lawnet.fordham.edu/iplj/vol36/iss1/1