Pub. 13 2018-2019 Issue 2

NEBRASKA BANKERS ASSOCIATION 13 Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value FROM ONE COMMUNITY BANK TO ANOTHER. We have delivered fixed income strategies and support to banks of all sizes since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellow community bankers. We keep investing simple so that banks can focus on what really matters — lending to the communities who support us. • Portfolio Strategy, Sales and Service • Bond and Securities Underwriting/Trading • BancPath® and FlexLoan® via Asset Management Group We speak the same language. COUNTRY CLUB BANK Counselor’s Corner — continued on page 14 Inc. v. Federal Trade Commission, the court invalidated an FTC order in a case involving data security. Although banks typically need not to concern themselves with the FTC, the decision has implica- tions for enforcement actions by bank regulators and is potentially relevant beyond the data security realm. The FTC enforcement action arose out of a determination that LabMD had failed to implement reasonable data security measures to protect consumer information. The FTC concluded that this failure was an unfair act or practice which allowed the FTC to take enforce- ment action. That conclusion was dis- puted and ultimately appealed. Privacy and data security practitioners hoped the appeals court would provide use- ful guidance on the subject. The court, however, simply assumed for the sake of argument that the FTC was correct: the failure to implement and maintain a data security program was an unfair act or practice and the FTC had authority to take enforcement action. All was not lost for LabMD, though. The court evaluated the terms of the FTC’s cease and desist order and found it unenforceable. According to the court, the cease and desist order identified no specific unfair acts or practices from which LabMD was required to abstain. Instead, the order required LabMD to implement andmain- tain a reasonably designed data security program. In the words of the court, the order required implementation of a program “‘reasonably designed” “to the Commission’s satisfaction.” The order actually stated: It is ordered that the respondent shall, no later than the date this order becomes final and effective, establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented inwriting, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers In the court’s view, the order was not specific enough: It does not enjoina specific act or practice. Instead, itmandates a com- plete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished. Moreover, it effectually charges the district court with managing the overhaul. This is a scheme Congress could not have envisioned. If one were inclined to argue with the court, one might point out that there was some further specificity in the order. The order went on to say that LabMD’s program needed to include: A. The designation of an employee or employees to coordinate and be account- able for the information security program; B. the identification of material in- ternal and external risks to the security, confidentiality, and integrity of personal information that could result in the unau- thorized disclosure, misuse, loss, altera- tion, destruction, or other compromise of such information, and assessment of the