[BreachExchange] 10 Lessons From FTC Guidance on Data Security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 1 18:30:16 EST 2016


http://www.corpcounsel.com/home/id=1202751063013/10-Lessons-From-FTC-Guidance-on-Data-Security?mcode=1202614998157&curindex=0

“Not if, but when.” These simple words are enough to keep corporate
counsel, compliance officers and IT managers up at night when faced with
the reality that their network will at some point be breached. This is no
surprise given the spate of corporate breaches and unauthorized network
intrusions reported in recent years as well as the costs, reputational harm
and investigations and lawsuits that follow in their wake. While there are
no silver bullets to stop breaches from occurring, understanding and
following legal actions brought by regulatory agencies and heeding security
guidance they issue could go a long way in preventing security lapses and
unauthorized attacks.

There is no omnibus federal law that prescribes the level of security that
companies must use to protect consumer information. Instead, Congress has
identified certain categories of sensitive data that warrant regulation,
such as health and financial information, and online information collected
from children under 13, resulting in the Health Information Portability and
Accountability Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting
Act, and the Children’s Online Privacy Protection Act, respectively.

Each of the above laws (and their implementing regulations) to some extent
dictates specific data security standards for companies that possess
consumer information in these industries. But for the vast number of
companies that do not fall within these categories, knowing what standards
they are expected to employ to protect consumer information remains an
elusive task. Notwithstanding this void, companies that fail to develop a
comprehensive data security plan and implement at least some level of
minimum security measures to protect consumer information remain vulnerable
to attacks, lawsuits and regulatory investigations.

Enter the FTC

Companies that experience a data breach of some sort can expect to hear
from the Federal Trade Commission shortly following the breach becoming
public. The agency has brought over one hundred privacy and data security
cases under its broad jurisdiction authority pursuant to Section 5 of the
FTC Act (15 U.S.C. § 45), which empowers it to investigate and halt unfair
and deceptive acts and practices in commerce.

The FTC’s privacy enforcement docket has historically involved companies
that failed to abide by their posted privacy policies, which the agency
claims violated the FTC Act for being a deceptive trade practice. But the
FTC has also brought cases against companies that have failed to take
adequate precautions to protect consumer information, alleging that such
failure was unfair to consumers, since they could not reasonably avoid the
harm that may result from such inadequacies.

But therein lies the rub. How can the FTC claim that a company has not
adequately protected consumer information if it and Congress have not given
industry specific guidance to follow?

Two companies took the FTC to task on this issue by challenging the
agency’s authority to bring data security enforcement cases in the absence
of clear and prior guidance. Both of these cases have recently reached
resolution, with differing, though logical, results.

Last summer, the U.S. Court of Appeals for the Third Circuit upheld a
district court’s finding that the FTC does have the authority to review and
scrutinize a company’s data security practices under Section 5 of the FTC
Act. The FTC sued Wyndham Worldwide Corporation in federal district court
in December 2012 for failing to employ reasonable and appropriate
protections for consumer information, which resulted in several data
breaches and caused “the compromise of more than 619,000 consumer payment
card account numbers, the exportation of many of those account numbers to a
domain registered in Russia, fraudulent charges on many consumers’
accounts, and more than $10.6 million in fraud loss.”

Wyndham moved to dismiss the action by challenging the FTC’s authority to
bring claims under Section 5 in the absence of specific and particular data
security standards. The district court rejected Wyndham’s motion and the
Third Circuit affirmed.

Three months later an FTC administrative law judge ruled against the agency
in a case involving a cancer-screening laboratory’s failure to adequately
protect sensitive consumer information. The ALJ dismissed the agency’s
August 2013 complaint alleging that LabMD failed to employ “reasonable and
appropriate” data security for consumer information, which “caused, or is
likely to cause substantial injury to consumers.” Like Wyndham, the FTC
investigation followed several breaches by LabMD that collectively exposed
personal information of approximately 10,000 consumers. The FTC’s complaint
alleged that LabMD billing information for over 9,000 consumers was found
on a peer-to-peer (P2P) file-sharing network, and company documents
containing sensitive personal information of at least 500 consumers were
found in the hands of identity thieves.

The complaint concluded that LabMD’s alleged failure to employ such
measures amounted to an unfair trade practice under the FTC Act by causing,
or being likely to cause, substantial harm to consumers that is not
reasonably avoidable by consumers or outweighed by benefits to consumers or
competition. The ALJ disagreed, finding that “FTC complaint counsel had
failed to carry its burden of proving that LabMD’s alleged failure to
employ reasonable data security constitutes an unfair trade practice,
because complaint counsel failed to prove that the allegedly unreasonable
conduct caused or was likely to cause substantial injury to consumers.” He
added, “At best, Complaint Counsel has proven the ‘possibility’ of harm,
but not any ‘probability’ or likelihood of harm. Fundamental fairness
dictates that demonstrating actual or likely substantial consumer injury
under Section 5(n) [of the FTC Act] requires proof of more than the
hypothetical or theoretical harm that has been submitted by the government
in this case.”

This matter is far from over, since the FTC has appealed the decision to
the full FTC Commission, which will likely result in the decision being
overturned. But the ALJ’s finding does fall in line with a string of cases
questioning whether regulatory investigations and class actions are
appropriate where no harm resulted from an actual or potential data breach.

While these decisions may appear conflicting, they address very different
issues and are in fact mutually exclusive. Wyndham involved actual proven
consumer harm whereas LabMD did not. Query whether the Third Circuit and
the lower court would have upheld the FTC’s authority to prosecute
inadequate security practices in the absence of provable and discernible
harm. The lack of harm was very much the centerpiece issue for the FTC’s
ALJ in LabMD.

Regardless of the final outcome of these cases, companies that collect and
maintain consumer information, particularly sensitive information such as
account numbers, must develop and implement sound data security policies
and procedures designed to prevent unauthorized breach and intrusion. In
the absence of statutory prescriptions to follow, the FTC has published a
document that many consider to be a treasure map to the FTC’s secret vault
of security expectations.

This document, titled “Start with Security: A Business Guide,” follows a
series of FTC workshops and papers involving privacy and data security. It
highlights the following 10 practical lessons that can be drawn from over
50 data security cases the agency has brought over the last decade.

1. The FTC urges companies to factor security into every aspect of their
business, especially when developing data collection, retention and use
policies. Specifically, companies should not collect unneeded personal
information, should only retain collected information for as long as
needed, and should not use such information for unnecessary purposes.

2. Companies should limit access to personal information to only those
employees and vendors who need it.

3. Companies should require persons with access to personal data to use
strong and effective passwords and employ encryption devices when the
nature of the data warrants stronger protection.

4. Companies should maintain sensitive personal information securely
throughout its life cycle, both when in storage and when in transit.

5. They should design networks to separate internal networks containing
consumer information from the Internet and employ intrusion detection
software to monitor for malicious activity.

6. Given the explosive growth of telecommuters and vendors that remotely
access company networks, companies should secure endpoint security by
requiring strong passwords and antivirus software on all remote computers
and devices.

7. They should employ security sensitivities in all new product development
so that engineers and developers consider current and future product uses
and scaling. Companies should also consider the platform guidelines on
which the products may be run and accessed.

8. Businesses should require third-party service providers to implement
appropriate security measures commensurate with the work they will perform
and the data to which they will have access and should monitor their
activity.

9. They should keep antivirus and third-party software updates current,
implement required patches as quickly as possible, and take network
vulnerability warnings seriously.

10. Finally, they should apply the same level of sensitivity and diligence
to office hardware and paper files as they would electronic files.
Specifically, companies should develop and implement security policies for
the storage of files and hardware while on and off company premises as well
as the destruction of such materials when no longer needed.

Data breaches are the new reality. As hackers continue to develop
technological capabilities faster than data protection specialists can, and
companies increasingly allow remote access to corporate networks by
employees and vendors, it is virtually impossible to protect these networks
from unauthorized attacks. But, following the FTC’s guidance outlined above
will go a long way in preventing such events from occurring. In the event
of a breach and a follow-on FTC inquiry, being able to show that this
guidance was followed might stave off a full regulatory investigation and
consent agreement. And better yet, following the guidance just makes good
business sense.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160301/9d15b932/attachment-0001.html>


More information about the BreachExchange mailing list