"The Commission has, through all the materials I've mentioned, said that companies need to use readily available measures to identify reasonably known security risks, and one of the methods of doing that would be penetration tests," he said. However, a determination of whether a company erred in not doing a penetration test is typically determined on a case-by-case basis, he said.
Kaufman said companies trying to determine the FTC data security expectations could also easily get that information from previous settlement agreements between the agency and breached entities.
A spokesman for Cause of Action was quick to point out that Kaufman's testimony shows that the agency's enforcement actions are based on no specific standard.
The fact that the FTC is pointing to things like blog posts, press releases, website postings and flyers as sources is significant, he said. "Essentially, the standard is a random conglomeration of "no clear standard" and Kaufman repeatedly says it's a case-by-case basis. If anything, it shows that a company would have no idea what the standard is" he said in emailed comments.
Sign up for CIO Asia eNewsletters.