Your privacy and security policies could be deemed to be unfair and deceptive, especially if there is a data breach.

The ever-evolving and uncertain legal landscape in the world of cybersecurity is a challenge to all management levels in almost every business sector. Inconsistent and vague guidance from various government agencies has made it difficult for companies to know what level of risk tolerance is acceptable and what is an adequate or reasonable security program that will pass regulatory muster in the event of a cyber-attack or breach. Instead, government agencies – and the Federal Trade Commission in particular – are penalizing companies after a breach or incident occurs instead of publishing regulations that articulate clear standards – even basic elements – that constitute an effective cybersecurity program.

Those tasked with cybersecurity at their company are left to navigate this nebulous legal landscape where vague government agency “guidance” is the standard upon which those same agencies and the courts have adopted an unworkable compliance framework akin to the first legal standard for obscenity: we know it when we see it. In the context of cybersecurity, what is the “it” that companies should avoid?  Until the case law develops and clearer standards emerge, the answer is not at all straightforward and varies by industry.  In this article, we will use the FTC as an example to demonstrate the lack of well-defined standards and to compile from the FTC’s enforcement actions some best practices to help provide a little clarity in the nebulous legal landscape of cybersecurity.

The FTC is charged with protecting consumers and promoting competition. The FTC’s primary legal authority comes from Section 5 of the Federal Trade Commission Act (“FTC Act”), which prohibits unfair or deceptive practices in the marketplace. While the FTC Act, which dates back to 1914, does not specifically mention cybersecurity, the FTC has used its broad authority under Section 5 of the FTC Act to protect consumers’ privacy and personal information.  In the words of the FTC:

“The FTC uses a variety of tools to protect consumers’ privacy and personal information. The FTC’s principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior. This includes, when appropriate, implementation of comprehensive privacy and security programs, biennial assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of illegally obtained consumer information, and provision of robust notice and choice mechanisms to consumers.”

In short, your privacy and security policies or program could be deemed to be unfair and deceptive, especially if there is data breach. Unfortunately, the FTC has not published regulations that define or specify the required elements of a privacy or security program against which a company could benchmark their own cybersecurity practices. Without such regulations, avoiding an enforcement action for unfair privacy and security practices is difficult when the FTC has the power to decide or define – unilaterally, on an ad hoc basis, and after a breach has occurred – what the “it” is that is unfair. Indeed, a federal court of appeals upheld the FTC’s authority to regulate cybersecurity using the unfairness provision of Section 5 of the FTC Act.  We currently are left, then, with extracting the privacy and security practices that the FTC deemed unfair or deceptive from the numerous FTC enforcement actions. Just this year, the FTC issued “guidance” distilled from settlements in 50 enforcement actions in its publication “Start with Security: A Guide for Business.” While the FTC’s guidance is not law, and no findings were made by a court in those actions, right now it is the only source to understand the “it” that the FTC deems unfair.

To help benchmark your cybersecurity policies and programs, here are some continual themes, in no order of importance, that have emerged.

• Encrypt Sensitive Data at All Times.  A recurrent theme in a number of FTC complaints is the failure to encrypt data throughout its lifecycle. The FTC accused a hospitality company of engaging in unfair cybersecurity practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” when, among other things, the company stored payment card information in clear readable text. Beyond simply encrypting data in a company’s own network, data must be encrypted when it passes through a third party service provider.  A company engages in an unfair security practice when “personal information [is] not encrypted…from the time of submission until it was received by [the company].  Instead, [the company] encrypted sensitive personal information only while it was being transmitted between a visitor’s web browser and the website’s server []; once the information reached the server…operated by a service provider outside of [the company’s] computer network, it was decrypted and emailed…in clear, readable text.”
• Require – and Enforce – Robust Passwords.  Key to this principle is that strong authentication procedures must be employed not just internally, but also for remote access and for third parties, such as vendors, who have access to network systems.  Failing to “establish or enforce policies sufficient to make administrative passwords hard to guess, including policies that: (1) prohibit the use of common dictionary words as [] passwords; and (2) require that such passwords be unique – i.e., different from any password that the employee uses to access third-party programs, websites, and networks” is an unfair privacy and security practice.
• Ensure Vendors/Suppliers/Third Parties Have Adequate Security.  If your company uses third parties to handle or store personal information, you must evaluate the third party’s computer network and take steps to ensure that appropriate data security measures are present.  The FTC alleged that a lender and one of its owner/managers violated the FTC Act because they failed to “visit[] the seller’s workspace or audit[] the computer network… in order to assess that network’s vulnerability to attack by a hacker or other unauthorized user…” and “… failed to take reasonable steps to assess the seller’s procedures to handle, store, or dispose of personal information.” In a more recent matter, the FTC alleged that a transcription “company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption.”
• Train, Train, and Train.While many cybersecurity programs devote significant resources to external threats, far more prevalent threats are physical theft/loss, miscellaneous errors, and, most importantly, insider misuse. In fact, breaches caused by mistakes or purposeful misuse by an organization’s employees account for 90.4 percent of all reported security incidents. The FTC has alleged that a company fails to “provide reasonable and appropriate security for personal information on its computers and networks” when it fails to “[a]dequately train employees about security to prevent unauthorized disclosure of personal information.”
• Practice What You Preach.  The FTC’s enforcement actions revolve around a company’s failure to live up to representations made to consumers, including a company’s security practices. Whatever representations are made in your company’s privacy policy, make sure they are part of your cybersecurity program. Failure to do so not only will invite government scrutiny, but also potential civil consumer fraud violations, which in many states provide for triple damages and attorneys’ fees. Indeed, the most recent FTC case to reach the federal court of appeals provoked one of the judges to remark:

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

Perhaps the lessons learned from those who have been caught in the FTC’s crosshairs will help bring some clarity to cyber practitioners responsible for protecting sensitive information. For the foreseeable future, however, the legal landscape of cybersecurity will be in flux, but hopefully the “it” will move beyond the subjectivity of the government agencies regulating cybersecurity.