The FTC’s expanding cybersecurity influence

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fedscoop.com/ftcs-expanding-cybersecurity-influence/


The answer to who is in charge of the federal effort to bolster the
nation’s cybersecurity posture may not be as difficult to uncover as
previously thought. As the Department of Homeland Security awaits public
comments on its voluntary framework initiative—due Oct. 10—the Federal
Trade Commission has been making an aggressive push to expand its
authorities and force companies that have lax security programs to bolster
their defenses.

To be fair, the DHS-backed program, known as the Framework for Improving
Critical Infrastructure Cybersecurity and developed by the National
Institute of Standards and Technology with extensive input from the private
sector, is only seven months old. But despite more than a year of
development work and meetings around the country, nobody is really sure yet
how many private sector firms have adopted the voluntary standards or what
impact the standards have had on the nation’s cybersecurity posture. What
is clear, however, is the number of massive data breaches is rising and so
are the number of punitive enforcement actions by the FTC targeting
companies that have failed to take appropriate measures to protect consumer
information.

This year, the FTC pursued its 50th data security enforcement case against
an audio transcription company that it alleges did not properly protect the
personally identifiable information contained in 15,000 user files exposed
on the Internet. In addition, the agency recently announced it will
investigate last year’s Target data breach, and some lawmakers are now
calling on the FTC to investigate this month’s reported hacking incident at
Home Depot that may have compromised the personal financial information of
tens of millions of consumers.

The FTC is gaining ground in the national cybersecurity debate due to an
aggressive attempt to expand its authorities under Section 5 of the Federal
Trade Commission Act, which prohibits unfair and deceptive acts or
practices. The agency’s push for greater authority to regulate
cybersecurity practices in the private sector won a major victory recently
when a federal judge denied a motion to dismiss the FTC’s case against
Wyndham Worldwide Corp. for failing to protect consumer information.
According to a Sept. 11 report by the Congressional Research Service, the
judge’s ruling effectively lends support to the FTC’s position that it
possesses jurisdiction to regulate data security under its unfair or
deceptive practices authority. And as new massive data breaches make the
news, experts warn of additional FTC enforcement actions on the horizon.

“The FTC has already signaled that it sees a broad role for itself in data
and cybersecurity,” said Megan Brown, a partner with Wiley Rein LLP in
Washington, D.C. “The agency has been aggressively investigating and
bringing cases, using an expansive approach to its legal authority.
High-profile incidents like [the Home Depot and Target breaches] provide
the agency with more rhetorical ammunition as it stakes out its territory.”

According to recent testimony by FTC Chairwoman Edith Ramirez, the FTC has
leveraged its deceptive practices authority to settle more than 30 cases
challenging companies’ express and implied claims about the security they
provide for consumers’ personal data. The agency has also settled more than
20 cases alleging that a company’s failure to reasonably safeguard consumer
data was an unfair practice.

“The agency seems content to let enforcement actions set general
expectations for private industry,” Brown said. “While this case-by-case
approach tends to foster uncertainty about the adequacy of compliance
measures, the private sector should expect more investigations and
information requests, particularly in the aftermath of a high-profile
incident.”

Todd C. Taylor, an attorney at Charlotte, North Carolina-based Moore & Van
Allen PLLC, agreed that more high-profile data breaches would likely lead
to more activity by the FTC, but the biggest indicator of potential FTC
actions is the recent decision in the Wyndham case. “The Wyndham ruling
will likely embolden the FTC to more aggressively go after retailers that
have experienced data breaches,” Taylor said. “Whether they will do so in
the case of Home Depot, Target or others remains to be seen.”

Some fear any increase in FTC activity that tries to enforce cybersecurity
standards could be damaging, not only to industry but to the overall
government-led effort to coordinate cybersecurity information sharing.

Vijay Basani, CEO of Acton, Massachusetts-based EiQ Networks Inc., said the
FTC is not qualified to set and enforce security standards and the agency
should not attempt to do so. “FTC’s mission is to ensure the rights of
consumers, fair trade, accurate information in the market place and the
elimination and prevention of anticompetitive business practices,” Basani
said. “Cybersecurity is not one of FTC’s missions and as such FTC does not
have expertise and knowledge to enforce and set cybersecurity standards. It
is best left in the current voluntary effort managed by DHS, which deals
with cybersecurity on a daily basis.”

“There is clearly a role for consumer protection agencies and legislators
to play in turning up the heat on companies who have been seen as not
having done enough to secure personally identifiable and highly valuable
data,” said Steve Durbin, managing director of the Information Security
Forum. “So, it is interesting to see the FTC now weighing in on this. While
I am not sure that they should have a role to play in setting standards,
there is certainly a space that they can occupy in enforcing data security
that is consistent with their overall mission. The fact that the FTC is an
independent agency is an added bonus, and should be recognized.”

There are currently eight bills pending in Congress that would impact FTC’s
role in cybersecurity, including several that propose granting FTC the
authority to promulgate information security standards, impose civil
penalties on companies that fail to meet certain standards and authority to
issue administrative rules.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!