Cyber Tactics / Cyber Security News / Columns

Facing an Uncertain Future in Cybersecurity Enforcement

The FTC has become the nation’s leading force to drive and enforce consumer privacy

In my April column, I explored how corporate executives can use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to develop enough non-technical expertise to successfully navigate key cybersecurity risk management concepts.  Not surprisingly, federal regulatory agencies  have found the Framework useful too.  So how might the work of two federal agencies in particular result in broadly adopted cybersecurity standards and practices, all without the passage of new legislation, rules or regulation?


The Federal Trade Commission Wins Big

The FTC has become the nation’s leading force to drive and enforce consumer privacy. Still, it was not without controversy when the FTC, without first defining “reasonable” security, began to bring more and more cases against companies for failing to “reasonably” secure consumer information. One company fought back, arguing in part that the FTC violated “basic principles of fair notice and due process” by holding companies to standards without any “rules, regulations or other guidelines explaining what data-security practices the Commission believes [the law] to forbid or require.” 

In early April, a federal district court considered the argument and then issued a resounding victory for the FTC. The court held that the FTC must be allowed “flexibility” in bringing unfairness claims, and accepted the notion that the body of consent decrees entered into between the FTC and industry help define what is “reasonable” data security. As a result of this decision, should the FTC begin referencing the NIST Framework in future consent decrees, the Framework very well might become the legal standard of reasonableness for all U.S. cases involving consumer privacy.

In early May, the FTC’s Chief Administrative Law Judge held that in an enforcement action the FTC must disclose “what data security standards, if any” it has published and intends to rely upon to demonstrate that a company’s data security practices are not reasonable and appropriate. The FTC has suggested that, at a minimum, every company should expect to be judged by a 2011 FTC business guidance brochure as well as against whatever industry guidance sources the particular company has adopted for itself. 

Meanwhile, the FTC Commissioner recently testified before Congress, recognizing that “there is no one-size-fits-all data security program.” Coming as quite a relief to many, the Commissioner acknowledged that perfect security is not at the heart of the reasonableness test, assuring weary businesses reeling from unrelenting hackers that “the mere fact that a breach occurred does not mean that a company has violated the law.”


SEC Starts Asking Questions

The odds are high that this year your company will have to answer at least one cybersecurity questionnaire. Companies are asking their third party vendors to describe their cybersecurity practices; law firms and auditors are stressing the need for companies to conduct cybersecurity due diligence prior to any merger or acquisition; and, insurance carriers are asking questions about network security practices and risk culture in order to determine eligibility and pricing for cybersecurity insurance. 

On top of it all, this past April the SEC announced its intent to examine at least 50 registered broker-dealers and investment advisers to determine their “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”  The SEC also published a sample list of 28 requests for information that it “may use” when conducting its exams. Highlights include:

  • A copy of the firm’s information security policy and business continuity of operations plan;
  • A description of any potentially moderate or high-risk assessment findings that have not been fully remediated; 
  • Procedures for assessing cybersecurity risks posed by vendors and business partners.

Yet, the most significant aspect of the sample document request may be about its potential adoption by industry. The SEC is marketing the list as “intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms’ level of preparedness” and, by extension, to assess the preparedness of third parties. Should industry voluntarily adopt all or part of the list (for example, during vendor contracting or preceding corporate transactions) the SEC very well could change the face of cybersecurity due diligence.

Although NIST prepared a voluntary cybersecurity framework, it would be a mistake to think that the government is waiting patiently for companies to adopt risk-based cybersecurity measures.  With the FTC and SEC taking over where NIST left off, the government’s influence can extend quickly and dramatically.  


About the Columnist:

 Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, and network security pen-testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at You can follow him on Twitter @StevenChabinsky

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security May 2015 Issue cover

2015 May

In the May 2015 issue of Security, learn how to be the bridge between busieness and security with "customer facing," how to effectively work with your CFO, and covert security.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.