The U.S. Circuit Court of Appeals recently ruled that the Federal Trade Commission (FTC) has the authority to regulate aspects of corporate cyber security and may penalize those who fail to properly safeguard customer information. Some background is in order.
For a number of years, the FTC has been making waves in cyber security by strictly enforcing regulations around product claims and product responsibilities, especially when data breaches or customer data protection were involved. A majority of the 50 or so FTC actions in security have been settled by consent decree, ultimately involving multi-year oversight and fines in some cases. Wyndham Worldwide (a hotelier) decided to push back against the FTC with a lawsuit. Their approach was entirely unsuccessful.
The failed lawsuit stems from 2008 and 2009 breaches made to Wyndham. In one of the breaches, hackers accessed credit card information and other personally identifiable information (PII) from over 600,000 customers leading to over $10.5 million in fraudulent charges on consumers’ cards. The FTC filed suit against Wyndham in 2012, claiming that their computer systems weren’t protecting customer data effectively.
In a word, yes.
A well-argued Columbia Law review paper contends that the FTC’s 170 settlement agreements over the last few years (since 1997) are functionally equivalent to a body of common law. That is, the FTC has codified a set of norms and best practices which it uses to guarantee baseline privacy protections for consumers. These standards are about as close to “rules” as you might want. For what it’s worth, this body of settlement agreements puts the FTC way out in front of any other federal agency when it comes to privacy and security. Their rulings are effectively the law of the land for businesses that deal with personal information. So much so that the FTC is viewed as the de facto federal data protection authority.
In its early days, the FTC focused on enforcing company-crafted privacy rules. It is way past that now. Section five of the FTC charter prohibits “unfair or deceptive acts or practices in or affecting commerce.” That’s the FTC’s primary source of authority. Note that “unfair information security practices” are one of five distinct unfairness theories they operate under. When it comes to security, the FTC is relying on industry standards and other norms (FRCA, GLBA, COPPA, Safe Harbor, HIPAA) to identify a particular set of practices that together constitute what they’re looking for.
The DPIP (Division of Privacy and Identity Protection) is the most relevant FTC division when it comes to enforcing security.
The best way to avoid getting into FTC’s crosshairs is to avoid being like the 170 companies who found themselves in hot water. This is a bit like driving while looking in the rear-view mirror, but that’s how it goes. There are pretty obvious patterns in the settlements that we can use as guidance in computer security. In fact, most people (including the authors of the Columbia Law review paper) think the incremental development is pushing the “body of law” in a stable way. The FTC carefully crafts consent decrees so that they will “have a huge impact on other businesses in the same industry or that use similar practices.” But these days, the FTC is operating according to “consumer expectation” versus “company representation.”
The FTC has been evolving its “rules” from an almost entirely self-regulatory regime (based on making sure that company policy is fair) to something that resembles more of an actual regulatory regime. Any corporate CSO is now on the hook to know this stuff.
Businesses with poor security measures in place—leading to a breach of sensitive data, for example—face repercussions that can be seriously detrimental. If security, and in particular the idea of ‘Building Security In,’ has been on your company’s radar, but isn’t yet an active consideration, it’s high time to move it up the priority list. And by move up, we mean to the top of the list!
By implementing a software security initiative (SSI), your business can avoid the risk of a breach. What once might have constituted a tragic blow to a company’s reputation, is now likely to involve an FTC aftershock of equally epic proportions. Avoid the legal war-zone and the risk of being seen as an industry-wide pariah by building security and privacy into your products.
If your business is found to have insufficient security practices in place, and you end up the victim of a security breach, the FTC has the authority to investigate your company and possibly find your business at fault for the breach. They can legally require your business to undergo third-party security assessments every two years over a 20-year period. And they can also levy significant fines.
If your business maintains an aggressive stance in defending against the latest threats by following industry recognized best practices, then there’s no need to worry. This is a small price to pay to keep the FTC out of your hair.
On the other hand, if you don’t have a security strategy in place and if you aren’t really sure what your security practices are, it’s time to snap out of the false sense of security you may have and create a definitive SSI to protect your business’s most precious data.
Now is the time to take action. Gather the security and legal executives for a meeting of the minds. Begin developing a strategy to protect internal and customer data by adopting and documenting industry best practices. And don’t mislead your customers about security by making claims you can’t back up.
Know that every business is a target—from small regional businesses to the largest multi-national enterprises. The threat is real, but the solution is equally clear.
Ensure that your developers and security professionals are educated on the most up-to-date information involving vulnerabilities and solutions that can be put in place to build security in. On a system-specific level, conduct an architecture risk analysis of your existing systems, review your code, and carry out penetration testing to find potential vulnerabilities. Use the BSIMM as a measuring stick to compare yourself to other firms.
Gary McGraw is the former vice president of security technology at Synopsys (SNPS). He is a globally recognized authority on software security and the author of eight best-selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and six other books, and he is editor of the Addison-Wesley Software Security Series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a periodic security column for SearchSecurity, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of MaxMyInterest, Ntrepid, and RavenWhite. He has also served as Advisor to Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). He holds a dual Ph.D. in cognitive science and computer science from Indiana University, where he serves on the Dean’s Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy Magazine (syndicated by SearchSecurity).