What CIOs Need to Know About the FTC Cybersecurity Ruling

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.wsj.com/cio/2015/08/31/what-cios-need-to-know-about-the-ftc-cybersecurity-ruling/

No matter how much a company spends in money and resources for cyber
security, there is always the risk that the system will be hacked.  Now, a
decision by the Third U.S. Circuit Court of Appeals has confirmed that in
the event of such an Information Technology System hack, the U.S. Federal
Trade Commission has authority to investigate the company and charge it
with unfair trade practices for failure to protect customers from the theft
of on-line data.

The FTC has been routinely filing and settling such claims for years. Among
potential claims by the FTC are claims that the firewalls were
insufficient, the cybersecurity software was antiquated, and that proper
data security procedures were not implemented or followed. If the FTC files
a claim, in addition to reputational damage, a company can be subject to
expensive fines and there is a heightened risk that the FTC claim will
encourage class action lawsuits.

In view of these potential risk factors, a CIO should act defensively to
mitigate the company’s exposure to claims by the FTC and other government
regulators. Admittedly, some procedures which a company may implement to
reduce the risk of a claim by the FTC after a cyberattack may appear to be
aimed at “optics.” However, documenting compliance with cybersecurity
safety standards is potentially as important to the bottom line as the
compliance itself. In addition to actually having in place the most
up-to-date practical anti-hacking software, a company needs to be able to
demonstrate the way in which it has protected private customer information
in order to dissuade the FTC from taking action, and to protect its
officers and directors from class action lawsuits following an FTC
complaint.  Some defensive steps to be considered are as follows:

Compliance with NIST Cyber Security Framework.  The National Institute of
Standards and Technology has issued a “Framework for Improving Critical
Infrastructure Cybersecurity,” which is becoming a de facto standard of
cybersecurity for U.S. regulators. The Framework is the equivalent of a GAP
analysis, with a company setting up its own profile.  If a company can
demonstrate to the FTC that it has implemented the Framework, it may help
to persuade the FTC that there are no grounds to file a complaint.

Updating of data and privacy policies. Every company has a data privacy and
security policy. However, many of those policies may have been written
several years ago and may not reflect recent standards and practices. A
company should regularly update those policies to comply with the most
recent cybersecurity requirements.

Report by respected third-party consultant. Virtually every major
information technology consultant now has a cybersecurity practice.
Although it is an added expense, and its worth may only be demonstrated if
a hack is uncovered, a CIO should retain a respected consultant to perform
an annual data security review, should update the company’s security to
comply with the report’s recommendations and obtain from the consultant a
report confirming that the company has implemented the most current
anti-hacking processes and protections.

Risk manager involvement. The CIO should actively coordinate with the
company’s risk managers, so that they too document the company’s compliance
with the most recent protective steps for cyber security.

Cybersecurity insurance.  Cybersecurity risks are often not included in a
commercial general liability insurance policy.  The CIO should review the
company’s cybersecurity policy to ensure that it provides the necessary
coverage in the event of a hack and subsequent regulatory and legal action
by the FTC and others.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!