Crossroads Blog | Institute National Security and Counterterrorism

Cybersecurity, Data Breaches, FTC

Cybersecurity Consideration for Businesses in a Post-Wyndham World

Top 10 Cybersecurity Tips for Businesses Following FTC v. Wyndham (LegalTechNews):  Matthew Nelson wrote an article for LegalTech News regarding the standard of care businesses are expected to meet following the Federal Trade Commission (“FTC”) v. Wyndham case.  According to the article, the FTC has relied on § 5 of the FTC Act to obtain over 50 settlements against businesses for failing to take adequate cybersecurity measures to protect consumer data from hacking.  Specifically, the FTC has leveraged the language in § 5 that prohibits the use of “unfair or deceptive acts or practices in or affecting commerce”, according to Nelson’s article.  The FTC’s assertion of power under this section was largely un-challenged until Wyndham Worldwide pushed back in a case that hit the 3d Circuit in 2015, according to the article.

Mem-Op-14-3514

 

 

 

 

 

 

 

 

 

Similarly, the article notes that an Administrative Law Judge dismissed a similar case finding that the FTC’s regulation of unfair practices must demonstrate that consumer harm is not merely possible, but rather probable.  However, the article points out that the FTC is appealing this and the ALJ holding is non-binding.

Docket-9357-LabMD-Initial-Decison-electronic-version-pursuant-to-FTC-Rule-3-51c21

 

 

 

 

 

 

 

 

Nelson’s article indicates that in order to assist businesses in understanding the requisite standard of care, the FTC has published “Start with Security, A Guide for Business, Lessons Learned from FTC Cases” which is an update to the pre-existing 2007 guidebook (which Wyndham relied on to assert its position that it had given requisite notice to consumers).

pdf0205-startwithsecurity

The FTC Guide includes 10 tips for businesses:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in palce to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The FTC guide then delves into each point individually to provide further guidance.


My Opinion

Is the Federal Trade Commission really providing guidance on cybersecurity?  Does the phrase “physican heal thyself” come to mind here?  Is this hypocrisy, irony, or just one more case where different parts of the government have absolutely no clue what other parts are doing?

Following the IRS hacks, the massive OPM data breach and the apparent lack of meaningful cybersecurity practices for our Nation’s infrastructure (e.g. DOE/ Nuclear Facilities, etc.), how can the FTC pursue businesses that have failed to take “reasonable” steps when significant portions of the government haven’t just failed to take reasonable precautions, but rather have failed to take almost any precautions with cybersecurity?

It is seemingly mind-boggling to consider that while over 20M highly-detailed, extremely sensitive 120+ page SF-86 personnel records were being exfiltrated from the Office of Personnel Management, the FTC and its Legal Team were pursuing Wyndham Hotels for failing to take “reasonable” cybersecurity precautions to prevent the theft of personal and financial data of a couple of hundred thousand consumers. Having been on the receiving end of a friendly OPM notice indicating that “We have determined that your Social Security Number and other personal information was included in the intrusion” I find no comfort in knowing that the FTC has reached over 50 settlements regarding insufficient cybersecurity practices while OPM has seemingly failed to follow a single one of the FTC’s “Top 10 Tips”.

In the case of a data breach at a company that one voluntarily chooses to do business with, the consumer has options.  As consumers or as a block of consumers we can elect to conduct business with other entities, we can in many cases dictate what information we provide and to whom.  Is the FTC providing useful guidance — perhaps, but in the end consumers have some flexibility.

In the case of a data breach related to background investigations used to build the SF-86 forms the choice is binary, a simple yes, or no.  If you wish to work in certain positions you have to undergo a background investigation, you are not able to choose where your data goes, what information is disclosed or how it is stored.  Fortunately as it turns out, everyone is equally vulnerable as the letter from the Acting Director of OPM, Beth Colbert, indicates that she too was a victim of the “…malicious cyber intrusion carried out against the U.S. Government.”

At some point the Government will realize that cyber is everywhere and it touches everything.  To that end, the Government is going to have to consider a common set of guidelines that apply across the public as well as private sectors and they are going to have to begin the process of implementing logical and reasonable cybersecurity practices across the board.  It is unacceptable to have the FTC pursue settlements against companies for a perceived lack of cybersecurity protections while various other arms of the Government have taken few if any steps to implement “reasonable” cybersecurity measures.

 

Leave a Reply

Bitnami