Cyber Tactics / Cyber Security News / Columns

Facing an Uncertain Future in Cybersecurity Enforcement

The FTC has become the nation’s leading force to drive and enforce consumer privacy

In my April column, I explored how corporate executives can use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to develop enough non-technical expertise to successfully navigate key cybersecurity risk management concepts.  Not surprisingly, federal regulatory agencies  have found the Framework useful too.  So how might the work of two federal agencies in particular result in broadly adopted cybersecurity standards and practices, all without the passage of new legislation, rules or regulation?

 

The Federal Trade Commission Wins Big

The FTC has become the nation’s leading force to drive and enforce consumer privacy. Still, it was not without controversy when the FTC, without first defining “reasonable” security, began to bring more and more cases against companies for failing to “reasonably” secure consumer information. One company fought back, arguing in part that the FTC violated “basic principles of fair notice and due process” by holding companies to standards without any “rules, regulations or other guidelines explaining what data-security practices the Commission believes [the law] to forbid or require.” 

In early April, a federal district court considered the argument and then issued a resounding victory for the FTC. The court held that the FTC must be allowed “flexibility” in bringing unfairness claims, and accepted the notion that the body of consent decrees entered into between the FTC and industry help define what is “reasonable” data security. As a result of this decision, should the FTC begin referencing the NIST Framework in future consent decrees, the Framework very well might become the legal standard of reasonableness for all U.S. cases involving consumer privacy.

In early May, the FTC’s Chief Administrative Law Judge held that in an enforcement action the FTC must disclose “what data security standards, if any” it has published and intends to rely upon to demonstrate that a company’s data security practices are not reasonable and appropriate. The FTC has suggested that, at a minimum, every company should expect to be judged by a 2011 FTC business guidance brochure as well as against whatever industry guidance sources the particular company has adopted for itself. 

Meanwhile, the FTC Commissioner recently testified before Congress, recognizing that “there is no one-size-fits-all data security program.” Coming as quite a relief to many, the Commissioner acknowledged that perfect security is not at the heart of the reasonableness test, assuring weary businesses reeling from unrelenting hackers that “the mere fact that a breach occurred does not mean that a company has violated the law.”

 

SEC Starts Asking Questions

The odds are high that this year your company will have to answer at least one cybersecurity questionnaire. Companies are asking their third party vendors to describe their cybersecurity practices; law firms and auditors are stressing the need for companies to conduct cybersecurity due diligence prior to any merger or acquisition; and, insurance carriers are asking questions about network security practices and risk culture in order to determine eligibility and pricing for cybersecurity insurance. 

On top of it all, this past April the SEC announced its intent to examine at least 50 registered broker-dealers and investment advisers to determine their “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”  The SEC also published a sample list of 28 requests for information that it “may use” when conducting its exams. Highlights include:

  • A copy of the firm’s information security policy and business continuity of operations plan;
  • A description of any potentially moderate or high-risk assessment findings that have not been fully remediated; 
  • Procedures for assessing cybersecurity risks posed by vendors and business partners.

Yet, the most significant aspect of the sample document request may be about its potential adoption by industry. The SEC is marketing the list as “intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness” and, by extension, to assess the preparedness of third parties. Should industry voluntarily adopt all or part of the list (for example, during vendor contracting or preceding corporate transactions) the SEC very well could change the face of cybersecurity due diligence.

Although NIST prepared a voluntary cybersecurity framework, it would be a mistake to think that the government is waiting patiently for companies to adopt risk-based cybersecurity measures.  With the FTC and SEC taking over where NIST left off, the government’s influence can extend quickly and dramatically.  

 

About the Columnist:

 Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, and network security pen-testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at steve.chabinsky@crowdstrike.com. You can follow him on Twitter @StevenChabinsky

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+