Yesterday, the Federal Trade Commission (FTC) published data security guidance on their business blog that should be taken seriously by any corporate board. The article, “Corporate Boards: Don’t Underestimate Your Role in Data Security Oversight,” discusses the need for corporate boards of directors to be more involved with their respective companies’ data security and data management programs. As security threats and cyberattack risks increase for all types of companies that store data, it is important for key corporate stakeholders to be involved in the implementation, review, and problem-solving stages of their data security programs. 

The FTC’s article highlights strategies used by some companies to ensure an effective data security program:

  1. “Build a team of stakeholders from across your organization.” Have people from the business, legal, and technology departments involved in security, including “high-level executives and the operational experts” on the ground.
  2. “Establish board-level oversight.” The board of directors should make data and cybersecurity a priority. When this is done, adequate attention and resources can be used to defend or correct cybersecurity risks and attacks.
  3. “Hold regular security briefings.” The board should be regularly informed on data and cybersecurity. 

The FTC suggests that good data and cybersecurity can go beyond just legal compliance. In the article, the agency notes that, as each company is unique, companies should tailor their security programs to their specific needs. Boards should also ask tough fundamental questions that go to the root of their company’s data collection practices and the investments made (or needed) to protect that data. 

The article addresses the importance of a strong data security program and “a robust incident response plan” so that, in the event of an attack, it can be dealt with quickly and effectively. 

The timing of FTC guidance is rarely coincidental, and should be taken as strong evidence from the agency that they will consider whether and to what extent corporate boards have established data security policies and procedures at the board level that resonate throughout their company’s operations.