Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security NewswireCybersecurity News

Navigating the Nebulous Legal Landscape of Cybersecurity

By Stephen A. Grossman, Esq.
Landscape of Cybersecurity
Stephen A. Grossman
Landscape of Cybersecurity
Stephen A. Grossman
November 2, 2015

Your privacy and security policies could be deemed to be unfair and deceptive, especially if there is a data breach.

The ever-evolving and uncertain legal landscape in the world of cybersecurity is a challenge to all management levels in almost every business sector. Inconsistent and vague guidance from various government agencies has made it difficult for companies to know what level of risk tolerance is acceptable and what is an adequate or reasonable security program that will pass regulatory muster in the event of a cyber-attack or breach. Instead, government agencies – and the Federal Trade Commission in particular – are penalizing companies after a breach or incident occurs instead of publishing regulations that articulate clear standards – even basic elements – that constitute an effective cybersecurity program.

Those tasked with cybersecurity at their company are left to navigate this nebulous legal landscape where vague government agency “guidance” is the standard upon which those same agencies and the courts have adopted an unworkable compliance framework akin to the first legal standard for obscenity: we know it when we see it. In the context of cybersecurity, what is the “it” that companies should avoid?  Until the case law develops and clearer standards emerge, the answer is not at all straightforward and varies by industry.  In this article, we will use the FTC as an example to demonstrate the lack of well-defined standards and to compile from the FTC’s enforcement actions some best practices to help provide a little clarity in the nebulous legal landscape of cybersecurity.

The FTC is charged with protecting consumers and promoting competition. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act (“FTC Act”), which prohibits unfair or deceptive practices in the marketplace. While the FTC Act, which dates back to 1914, does not specifically mention cybersecurity, the FTC has used its broad authority under Section 5 of the FTC Act to protect consumers’ privacy and personal information.  In the words of the FTC:

“The FTC uses a variety of tools to protect consumers’ privacy and personal information. The FTC’s principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust notice and choice mechanisms to consumers.”

In short, your privacy and security policies or program could be deemed to be unfair and deceptive, especially if there is data breach. Unfortunately, the FTC has not published regulations that define or specify the required elements of a privacy or security program against which a company could benchmark their own cybersecurity practices. Without such regulations, avoiding an enforcement action for unfair privacy and security practices is difficult when the FTC has the power to decide or define – unilaterally, on an ad hoc basis, and after a breach has occurred – what the “it” is that is unfair. Indeed, a federal court of appeals upheld the FTC’s authority to regulate cybersecurity using the unfairness provision of Section 5 of the FTC Act.  We currently are left, then, with extracting the privacy and security practices that the FTC deemed unfair or deceptive from the numerous FTC enforcement actions. Just this year, the FTC issued “guidance” distilled from settlements in 50 enforcement actions in its publication “Start with Security: A Guide for Business.” While the FTC’s guidance is not law, and no findings were made by a court in those actions, right now it is the only source to understand the “it” that the FTC deems unfair.

To help benchmark your cybersecurity policies and programs, here are some continual themes, in no order of importance, that have emerged.

 

  • Encrypt Sensitive Data at All Times.  A recurrent theme in a number of FTC complaints is the failure to encrypt data throughout its lifecycle. The FTC accused a hospitality company of engaging in unfair cybersecurity practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” when, among other things, the company stored payment card information in clear readable text. Beyond simply encrypting data in a company’s own network, data must be encrypted when it passes through a third party service provider.  A company engages in an unfair security practice when “personal information [is] not encrypted…from the time of submission until it was received by [the company].  Instead, [the company] encrypted sensitive personal information only while it was being transmitted between a visitor’s web browser and the website’s server []; once the information reached the server…operated by a service provider outside of [the company’s] computer network, it was decrypted and emailed…in clear, readable text.”
  • Require – and Enforce – Robust Passwords.  Key to this principle is that strong authentication procedures must be employed not just internally, but also for remote access and for third parties, such as vendors, who have access to network systems.  Failing to “establish or enforce policies sufficient to make administrative passwords hard to guess, including policies that: (1) prohibit the use of common dictionary words as [] passwords; and (2) require that such passwords be unique – i.e., different from any password that the employee uses to access third-party programs, websites, and networks” is an unfair privacy and security practice.
  • Ensure Vendors/Suppliers/Third Parties Have Adequate Security.  If your company uses third parties to handle or store personal information, you must evaluate the third party’s computer network and take steps to ensure that appropriate data security measures are present.  The FTC alleged that a lender and one of its owner/managers violated the FTC Act because they failed to “visit[] the seller’s workspace or audit[] the computer network… in order to assess that network’s vulnerability to attack by a hacker or other unauthorized user…” and “… failed to take reasonable steps to assess the seller’s procedures to handle, store, or dispose of personal information.” In a more recent matter, the FTC alleged that a transcription “company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption.”
  • Train, Train, and Train.While many cybersecurity programs devote significant resources to external threats, far more prevalent threats are physical theft/loss, miscellaneous errors, and, most importantly, insider misuse. In fact, breaches caused by mistakes or purposeful misuse by an organization’s employees account for 90.4 percent of all reported security incidents. The FTC has alleged that a company fails to “provide reasonable and appropriate security for personal information on its computers and networks” when it fails to “[a]dequately train employees about security to prevent unauthorized disclosure of personal information.”
  • Practice What You Preach.  The FTC’s enforcement actions revolve around a company’s failure to live up to representations made to consumers, including a company’s security practices. Whatever representations are made in your company’s privacy policy, make sure they are part of your cybersecurity program. Failure to do so not only will invite government scrutiny, but also potential civil consumer fraud violations, which in many states provide for triple damages and attorneys’ fees. Indeed, the most recent FTC case to reach the federal court of appeals provoked one of the judges to remark:

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

Perhaps the lessons learned from those who have been caught in the FTC’s crosshairs will help bring some clarity to cyber practitioners responsible for protecting sensitive information. For the foreseeable future, however, the legal landscape of cybersecurity will be in flux, but hopefully the “it” will move beyond the subjectivity of the government agencies regulating cybersecurity.

KEYWORDS: cybersecurity compliance data breach data loss prevention FTC regulations

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sec1115 emv slide2 200px

Stephen A. Grossman is chair of Montgomery McCracken’s Data Privacy and Cybersecurity practice and co-chair of its E-Discovery practice.  Grossman also counsels clients in all business sectors and industries in all aspects of data management, litigation readiness, electronic discovery, cybersecurity, and data privacy.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • open laptop with code in dark room

    Navigating the threat landscape: The growing menace of cybercrime

    See More
  • infrastructure 1 responsive default security

    Manufacturing and The Cloud – Navigating the Evolving Security Landscape

    See More
  • secrets

    Cybersecurity: Vital to Legal and Technical Protection of Trade Secrets

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing