Many companies are still wondering how to develop and implement a data security program that meets the FTC’s reasonableness requirement. “There is a hunger for a checklist,” Kelley Drye partner Alysa Hutnik told the Cybersecurity Law Report. Although not necessarily applicable across the board, the NIST Cybersecurity Framework, along with the FTC’s comments on it and its release of a new breach response guide, serve as useful resources. In this second part of our two-part series on the FTC’s data security expectations in the context of the NIST Cybersecurity Framework, in-house and outside counsel discuss how the Framework’s core functions align with the FTC’s requirements. They also provide steps companies of all types and sizes can take to incorporate these functions into their own security practices. Part one explored the implications of the FTC’s recent communication and detailed three initial steps companies should take to meet the FTC’s reasonableness standard. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).