Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Which Federal Agency Controls Cybersecurity? The Answer May Surprise You.

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 17 Apr 2014 07:42:44 +0000 (UTC)
http://www.newrepublic.com/article/117389/ftc-gains-control-cybersecurity-measures-after-wyndham-hotels-case

By Paul Rosenzweig
Security States
The New Republic
April 16, 2014
One of the most hotly contested questions in the cyber domain (at least domestically) is whether or not the federal government should have a role in setting universal cybersecurity standards for critical American infrastructure. That was the ground for debate much of 2011 and 2012 in Congress.
The debate gave rise to a subsidiary question: If the federal government is going to set standards, which part of the government should be responsible? Some (the "hawks") favored the National Security Agency. (This was before Edward Snowden became a household name.) Others (the "doves") thought that civilian control through the Department of Homeland Security was the better course of conduct. But everyone seemed to agree that one of the federal government security agencies should be in charge of setting cybersecurity standards.
In our current system of government, though, things that make sense seldom become reality. It now seems that our cybersecurity standards are going to be set by a consumer protection organization -- the Federal Trade Commission (FTC). The case that made this clear is Federal Trade Commission v. Wyndham Worldwide Corporation, a civil suit brought in the District of New Jersey by the FTC relating to a cybersecurity breach at Wyndham Hotels.
To understand how the case creates this new reality, we need to step back and understand the FTC. The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception -- in other words, an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the public that were false. As you can imagine, allegations of that sort are often tied to particular circumstances and particular facts. The second ground for FTC enforcement is a broader one: that a company has engaged in "unfair" business practices. This means, in the words of the statute, that a company "caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition." In other words, that a company made a cost/benefit analysis to the detriment of consumers in a way that the FTC thinks is unreasonable. 

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
Previous By Date Next
Previous By Thread Next

Current thread: