The consent decree has the standard provision that the company will no longer violate the FTC Act, but in addition, the above-referenced "comprehensive information-security program" that Life is good must institute requires administrative, technical, and physical safeguards tailored to the size of Life is good as a commercial entity, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the consent decree mandates an information-security program that includes: • designation of an employee or employees to coordinate the information security program • identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place • creation and implementation of safeguards to control the risks identified in the risk assessment • monitoring the safeguards' effectiveness • development of reasonable steps to select and oversee service providers that handle personal information of Life is good customers. • evaluation and adjustment of the program to reflect the results of monitoring, material changes to the company’s operations, or "other circumstances" that may effect program efficacy • bookkeeping and record-keeping to facilitate FTC monitoring of compliance with the consent decree Further, the above-noted independent, third-party security auditor that Life is good must employ biennially for the next 20 years, will be required to certify the security program meets or exceeds the requirements of the consent decree, and is operating with sufficient effectiveness to provide reasonable assurance of the security of consumers’ personal information.
While the duration and reach of the information-security program’s terms mandated by the consent decree may be heightened in part as a result of Life is good having been open to a hacker’s attack that resulted in a compromise of consumers’ sensitive data, the basic framework suggests what security measures the FTC believes most companies should have in place. It indicates that, in general terms, a company should have an employee (or, if necessary, several employees) charged with oversight of securing the sensitive personal information the company collects, routine information-security risk assessments and establishment of safeguards against identified risks, and monitoring, bookkeeping and record-keeping that demonstrates the functioning and efficacy of the program. In addition, it appears the FTC expects companies take at least reasonable steps to ensure that third parties with which a company shares its sensitive information, have in place sufficient measures to ensure that nay sensitive data that is shared will be secure upon receipt by the third party.
The FTC’s announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs to ensure they are meeting at least the minimum steps the FTC appears to expect. The FTC’s Protecting Personal Information: A Guide for Businesses is a good resource in this regard as well.