The NIST Cybersecurity Framework, while useful, is not a panacea, the FTC recently said, leaving many companies still wondering how to develop and implement a data security program that meets the regulator’s reasonableness requirement. With input from in-house and outside counsel, we examine the FTC’s data security expectations in the context of the NIST Cybersecurity Framework. Part one of this two-part series explores the implications of the FTC’s recent communication, how and when practitioners use the Framework and details three initial steps companies should take to meet the FTC’s reasonableness standard. Part two will cover the Framework’s core functions, how they align with the FTC’s requirements and steps companies can take to incorporate these functions into their own security practices. See also “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).