Companies Should Think About Cybersecurity In Terms of Reducing Regulatory, Legal Risks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bna.com/companies-think-cybersecurity-n17179891642/

Companies need to think about cybersecurity in terms of reducing risk and
regulatory and legal headaches rather than in terms of return on
investment, panelists at Stanford Law School's “E-Commerce Best Practices”
conference said June 16.

The Federal Trade Commission and National Institute of Standards and
Technology help craft the way implementing security measures are presented
to the C-suite, panelists said during a session on cybersecurity.

Misguided Focus?

Although managers may understand that their company might be hacked or be
sued by regulators, the issue on which they focus is the return on
investment and how much money they can save by implementing standards, said
Joseph V. DeMarco, partner at DeVore & DeMarco LLP in New York.

A good accountant can provide precise information about accounts receivable
and fraud, DeMarco said. “But cyber is different as we all know because the
information is moving around, data is coming into the organization at the
speed of light, devices are coming on and off the network every day” and
the “bad guys are hiding behind layers and layers of anonymity.”

Focusing on return on investment and how risk will be reduced by “x”
percent, DeMarco said, fails to consider that following standards reduces
legal, business and reputational risks.

As a prosecutor for 10 years, DeMarco said he “picked through the wreckage
of every data breach imaginable.”

“Recurring themes do present themselves,” he said. “And if you follow any
one of the models, you are going to reduce risk” and increase ability to
detect and respond to wrongdoing effectively and efficiently.

“And finally, when the regulators come knocking or the plaintiffs'
attorneys come calling, you will be able to answer them with satisfactory
answers that are going to dramatically improve a good outcome,” DeMarco
said.

FTC Actions as Guidance

The FTC has brought large enforcement actions against companies such as
Facebook Inc. and Microsoft Corp. that ended in 20-year consent decrees,
said Thomas Smedinghoff, a partner with Edwards Wildman Palmer LLP in
Chicago.

In a case in which Wyndham Worldwide Corp. challenged the FTC's enforcement
authority, the U.S. District Court for the District of New Jersey in April
held that the FTC has authority under the “unfairness” prong of the FTC Act
to bring enforcement actions to remedy unreasonable data security practices
(FTC v. Wyndham Worldwide Corp., 2014 BL 94785, D.N.J., No. 2:13-cv-01887,
4/7/14).

“One of the more interesting parts of the opinion is the court basically
says, look to past FTC decisions. Look to see how they treated this in the
past and that you can use as guidance for how you're going to be treated
and what your obligation is likely to be,” Smedinghoff said, adding that
knowing what reasonable measures to take is a challenge for businesses.

DeMarco said he wasn't surprised the FTC was reluctant to disclose in “any
meaningful format what it views as a reasonable security.”

NIST Cybersecurity Framework

Under an executive order from President Barack Obama, the NIST in February
released a final voluntary cybersecurity framework of best practices for
the protection of critical infrastructure.

The framework is written in language that is understandable and
approachable to those who don't normally deal with cybersecurity, such as
corporate directors, said Donald Vieira, a partner with Wilson Sonsini
Goodrich & Rosati in Washington.

DeMarco said he expects the NIST guidelines will become a de facto standard
of care, and businesses should consider the NIST standards as they think
about privacy and security.

Françoise Gilbert, founder and managing director of the IT Law Group in
Palo Alto, Calif., said the NIST framework is “a very good tool to
communicate” how to accomplish security goals and is a “nice, organized,
simple way to get there.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!