The U.S. Appellate Court agreed with LabMD that an order by the Federal Trade Commission (FTC) for them to “establish a comprehensive information security program” was too vague, leading to changes in the way the FTC handles penalties after conducting audits to confirm that organizations who are collecting data are also taking steps to protect it.
The new safeguards being required by the FTC include:
Organizations that collect data online, even if only for marketing purposes, would be well-served to proactively align with either the National Institute of Standards and Technology’s Cyber Security Framework (NIST CSF) if U.S. only, or to consider using International Organization for Standardization’s (ISO) framework for locations outside of U.S. Alignment with either of these recognized standards has been found to be “reasonable” and “comprehensive” in past cases.