Sep 16 2016

Most recent FTC ruling makes clear – All US Companies are required to implement and monitor an information security program

While HIPAA and PCI compliance are now part of our collective business vernacular, the majority of US companies still remain unaware of national information risk management standards. In specific industries, companies have accepted that they must fulfill the requirements of specific acts. From Critical Infrastructure to Healthcare, these fields now require cybersecurity as a function within their entities’ risk management portfolios. Beyond, third-party vendors are required to sign Business Associate Agreements (BAA) that extend the scrutiny to an ever expanding web of businesses.

In order to understand that standards are truly national, I invite you to review the latest opinion handed down by the FTC: Within, Chairwoman Edith Ramirez makes clear that every entity must “implement reasonable security measures to protect the sensitive consumer information on its computer network.”

In the FTC Order, the Commission lays out the notification requirements that are applicable to the Affected individuals, and goes on to espouse what a reasonable security program entails “Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers.” To appreciate this Order is to understand that cyber risk management isn’t a function of your IT department, it’s a C-suite imperative.

Without referencing it by name, the FTC is championing the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”). In response to Executive Order 13636 (EO 13636) NIST, in collaboration with various private industries, developed the Cybersecurity Framework. Whether by legislation, ruling, order, or national implementation of the NIST CSF, every company must develop a reasonable information security program.

To learn more, feel free to contact me at