FTC: NIST Framework Not Automatic Compliance

Locke Lord LLP
Contact
LinkedIn
Facebook
X
Send
Embed

In a recent blogpost the Federal Trade Commission made clear that a company does not necessarily meet its information obligations arising from Section 5 of the FTC Act through use of the National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity (Framework). By way of background, Section 5 of the FTC Act prohibits “unfair” and “deceptive” acts by companies dealing with consumers in interstate commerce, and has been used by the FTC for more than a decade to require companies to abide by their promises and to require companies to reasonably secure consumer information. The Framework provides guidance to companies trying to improve their cybersecurity practices through a detailed set of assessment categories within 5 main functions (Identify, Protect, Detect, Respond, Recover). 

The FTC addresses the issue as a response to the question “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?” Within its response the FTC points out that there really is no such thing as compliance with the Framework; rather, the Framework is a practical guide to help companies implement sound security practices. The blogpost states that the Framework and the FTC’s approach are “fully consistent,” and proceeds to review the FTC’s enforcement actions in the information security space over the years. The lessons from those enforcement actions (most of which end up in “voluntary” consent decrees) are sometimes referred to as the “common law” of FTC enforcement in the area of information security.

About a year ago, the FTC has provided similar guidance in its “Start with Security: A Guide for Business.” The Guide for Business is also a helpful introductory document for companies seeking to get their arms around basic information security issues. It summarizes the FTC’s views on information security into the following points:

  • build information security into decision making;
  • control access to data sensibly;
  • require secure passwords and authentication;
  • store sensitive information securely and protect it during transmission;
  • segment your network and monitor who’s trying to get in and out;
  • secure remote access to your network;
  • make sure your service providers implement reasonable security measures;
  • put procedures in place to keep your security current and address vulnerabilities that may arise; and
  • secure paper, physical media, and devices.

Companies who are sharpening their information security practices should take special note of the highlights from FTC publications such as the recent blogpost and the Start with Security publication. The Framework is a valuable tool in connection with exercise, as the blogpost points out.

Written by:

Locke Lord LLP
Locke Lord LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide