[co-authors: Daniel Sodroski, Fernando Pinguelo]
This article was originally published in the December 2016 issue of New Jersey Lawyer magazine, a publication of the New Jersey State Bar Association, and is reprinted here with permission.
Businesses today have their work cut out for them. Small or large, no organization is immune from cybersecurity threats. Added pressures arise from stepped up government regulatory oversight and enforcement that targets an organization’s privacy and security policies, procedures, and responses to a data breach. For example, the Federal Trade Commission (FTC) is one such agency that considers itself the super-regulator of consumer data. Toward this end, the FTC has been at the forefront of bringing enforcement actions against businesses with deficient security practices that expose sensitive personal information about consumers. The challenge for businesses, of course, is determining which security practices to employ to adequately protect sensitive information and avoid an enforcement action. With that comes the natural inclination to ask: “What is the standard with which I must comply for my organization’s data security practices to withstand scrutiny?”
But this simple question compels a daunting response. Data security and technology are inherently dynamic, with technological advances occurring daily, businesses using data in new ways, and security threats evolving with each new technological advancement. The result is that what may be a best practice today, may not be six months from now. Consequently, specific rules do not comport well with data security and the FTC refuses to offer rules that so many organizations expect. Instead, the FTC provides guidance in parallel with its enforcement activity.
Recently, the FTC issued its position on a commonly asked question about standards that have developed out of the National Institute of Standards and Technology (NIST).1 Specifically, the FTC answered the question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?” In short, the answer is “no,” because there is no such thing as ‘complying’ with the NIST Cybersecurity Framework. This article explains what the NIST Cybersecurity Framework is and how the FTC’s standard differs from and aligns with the FTC’s approach to cybersecurity. Lawyers advising business clients, small and large, should be familiar with these principles and standards.
The NIST Cybersecurity Framework: What It Is and Is Not
President Barack Obama’s Feb. 2013 executive order titled “Improving Critical Infrastructure Cybersecurity,” prompted the NIST to develop a voluntary risk-based framework for the nation’s critical infrastructure. Issued in Feb. 2014, the resulting NIST Cybersecurity Framework is a set of industry standards and best practices that assist organizations in identifying, protecting, detecting, responding to, and recovering from cybersecurity risks.2 Importantly, the framework does not create new industry standards. Rather, it was created through the collaboration of the government and the private sector and is based on existing standards, guidelines, and practices with the current regulatory environment in mind. However, it is clear the framework does not supersede or supplement existing laws or regulations.3 Although created for the government’s critical infrastructure, the framework can apply to any organization, regardless of the organization’s size, sophistication, or cybersecurity risk level. Because it employs common, easily understood language, the framework permits both internal and external organization stakeholders—not just an information technology (IT) department — to understand, address, manage, and reduce cybersecurity risks.
The NIST Cybersecurity Framework is organized into five “continuous and concurrent” functions—identify, protect, detect, respond, and recover — which constitute the framework’s “core” for reducing cybersecurity risks. Each of the core functions provides a process for an organization’s management of cybersecurity risks.
Identify means to develop the organizational understanding to manage cybersecurity risks to systems, assets, data, and capabilities. By understanding the risks to an organization’s systems, assets, data, and capabilities, the organization can focus and prioritize its cybersecurity efforts to align with their risk management strategy and business requirements.
Protect means to develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. This function encompasses providing training to employees regarding cybersecurity risks and protection; limiting access to systems, data, and assets; using technology to secure data; and maintaining cybersecurity policies.
Detect means to develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. This function promotes the monitoring of information systems frequently and testing processes to detect irregular activity.
Respond means to develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The respond function includes executing the organization’s processes and procedures for response, coordinating and communicating with internal and external stakeholders, controlling and mitigating the event within an adequate response time, and revising the organization’s processes and procedures to incorporate lessons learned from the cybersecurity event.
Recover means to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. This function facilitates an organization’s timely recovery to normal operations and seeks to minimize the impact of the cybersecurity event on the organization’s internal and external stakeholders.
Each core function is broken down further into categories of an organization’s needs and activities. For example, the protect function includes access control, awareness and training, and protective technology. Each category is further divided into subcategories of specific outcomes of technical or management activities. In this regard, subcategories of “access control” include the specific activities of managing credentials and remote access for authorized users. Then, within each subcategory are informative references to specific sections of standards, practices, and guidelines that illustrate a method for achieving the desired outcome. For example, for more information on the subcategory “Identities and credentials are managed for authorized devices and users,” the framework directs one to NIST Special Publication SP 800-53 Revision 4’s detailed guidelines for account management in its “Security and Privacy Controls for Federal Information Systems and Organizations.”
Because the framework provides guidance for the process an organization can take to identify, protect, detect, respond to, and recover from cybersecurity risks, it is not a checklist, standard, or ladder for organizations to climb to a static end point. Instead, the core functions are intended to be performed continuously and concurrently to protect against cybersecurity risks. Moreover, each organization faces unique risks requiring varying approaches to cybersecurity. The framework is a guide for organizations to use to build their own cybersecurity programs. It is meant to direct organizations to assess their current security capabilities, set goals for immediate and future improvement, and create a plan for achieving those individual goals of improving and maintaining their cybersecurity program. The framework can also help an organization determine which activities are most important to prioritize investments and maximize the impact of every dollar spent on security.
But the framework does not contain specific requirements, practices, or elements that must be implemented to ensure protection. After all, there is no such thing as complete protection from cybersecurity risks, and the framework is also not a cure-all or a silver bullet for protecting organizations. Every day, new risks seek to exploit previously unknown vulnerabilities, which is why the framework is not a guideline that can be reviewed once and forgotten. Organizations need to continually revisit the framework’s processes for improving their cybersecurity systems as the organizations’ assets, sophistication, and cybersecurity risks change. Just as an organization is constantly evolving, the framework is not static, but a “living document” that “will continue to be updated and improved as the industry provides feedback on [its] implementation.”4
FTC Security Standards
Since being founded in 1914, the FTC has functioned as the nation’s consumer protection agency. The FTC is committed to protecting consumer privacy and promoting data security through its Federal Trade Commission Act, Section 5 power to prohibit “unfair or deceptive acts or practices in or affecting commerce.”5 The commission’s standard for data security, and what constitutes unfair or deceptive acts, is ‘reasonableness.’ But what does this amorphous standard mean?
Last summer, Wyndham Worldwide challenged the FTC’s authority to regulate cybersecurity practices and the FTC’s lack of a defined standard.6 A New Jersey District Court held that the FTC Act permits the FTC to regulate cybersecurity practices and refused “to carve out a data-security exception to the FTC’s unfairness authority.”7 The court concluded that “fair notice” of what constitutes reasonable cybersecurity practices does not “require[] the FTC to formally issue rules and regulations before it can file an unfairness claim in federal district court.”8 Recognizing the evolving landscape of cybersecurity, the court explained that the prohibitions in Section 5 of the act are “necessarily flexible” and intended for “cases arising out of unprecedented situations.” According to the court, the FTC’s complaints, consent agreements, public statements, and business guidance brochure provide sufficient guidance to companies about the FTC’s standards for reasonable and appropriate data security practices.9
On appeal, the Third Circuit affirmed the district court’s holding, finding that Wyndham was “not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.”10 The court went on to recognize that Wyndham and other organizations only need “fair notice” that its conduct could fall within the purview of FTC enforcement under Section 5.11
The FTC considers whether an organization’s approach to security is reasonable in light of the volume and sensitivity of the information the organization maintains. The FTC also considers the size and complexity of the organization’s operations and the cost of the resources available to address the organization’s vulnerabilities. Overall, the FTC looks at whether the company has undertaken a reasonable approach to secure its data.
Rather than waiting for a clear delineation from the FTC of the type of conduct it is going to police, businesses need to be cognizant of past and current enforcement actions, FTC-issued security guidebooks, and other resources available on the FTC’s website.12
One such guideline the FTC has provided to organizations is the Start with Security: A Guide for Business, Lessons Learned from FTC Cases.13 In this guideline, the FTC has distilled its more than 50 enforcement actions into 10 lessons for addressing vulnerabilities that affect organizations and practical guidance on how to reduce data and privacy risks. The 10 lessons are: 1) start with security; 2) control access to data sensibly; 3) require secure passwords and authentication; 4) store sensitive personal information securely and protect it during transmission; 5) segment the network and monitor who’s trying to get in and out; 6) secure remote access to the network; 7) apply sound security practices when developing new products; 8) make sure service providers implement reasonable security measures; 9) put procedures in place to keep security current and address vulnerabilities that may arise; and 10) secure paper, physical media, and devices.14
As the FTC recognized, most of these lessons result from basic security mistakes. However, the FTC will continue to bring enforcement actions if organizations fail to employ reasonable and appropriate cybersecurity practices.
NIST Cybersecurity Framework Aligns with the FTC’s Approach
The FTC has recognized that the NIST Cybersecurity Framework’s approach is fully consistent with its own approach to cybersecurity. In fact, the FTC has been evaluating and bringing Section 5 enforcement actions against organizations for years for failing to take reasonable and appropriate steps to identify, protect, detect, respond to, and recover from — the five core functions of the framework.
The FTC took action against companies, like Petco, which failed to identify its cybersecurity risks and develop a roadmap for addressing them. In the enforcement action against Petco, the FTC brought a Section 5 claim under the deception prong, alleging Petco failed to identify security flaws in its website that violated privacy promises it made to its customers.15 The alleged security flaws were commonly known web-based application attacks that would have been preventable had Petco implemented reasonable and appropriate security measures to secure and protect sensitive consumer information, including readily available defenses that would have blocked such attacks. Both the FTC and the NIST Cybersecurity Framework encourage companies to take steps to identify threats and areas of vulnerability to both data and personal information.
The FTC has also pursued enforcement actions against Twitter16 and Accretive Health,17 for failing to protect its organizational data. In the action against Twitter, the FTC alleged that Twitter provided the majority of its employees with administrative control over its system, which increased the chance of a serious breach. Rather than limiting administrative control to a select few, the FTC alleged that a hacker could gain control of Twitter’s system by obtaining access to almost any employee’s credentials. In its action against Accretive Health, an employee’s laptop computer, containing 20 million pieces of information on 23,000 patients, was stolen from the employee’s car. The FTC alleged the organization failed to create adequate data security measures to protect sensitive consumer information against the risk of theft or misuse. Both the FTC and the NIST Cybersecurity Framework advise organizations to control access permissions and protect data on the move.
FTC actions have also resulted from organizations failing to detect the occurrence of a cybersecurity breach in a timely manner. When Dave and Buster’s failed to implement intrusion detection software or monitor its system for irregular activity, the FTC brought a Section 5 action against the company after consumers’ credit and debit card information was hacked, resulting in several hundred thousand dollars in fraudulent charges.18 Had Dave and Buster’s followed the NIST Cybersecurity Framework’s guideline and monitored the activity on its systems, it may have identified the intrusion earlier and may have minimized the attack. The FTC and the framework encourage use of monitoring systems to alert organizations to unauthorized personnel, connections, devices, and software on their systems.
The widely publicized FTC action against Wyndham Worldwide resulted from the organization’s failure to respond to a detected cybersecurity event.19 The FTC alleged that Wyndham was aware of a previous cybersecurity breach, but despite its knowledge did not respond properly and failed to monitor its system for the same malware used in subsequent attacks, resulting in the total exposure of 619,000 consumer records. Specifically, Wyndham experienced two more breaches by hackers using the same or similar techniques as the first breach. The FTC alleged that Wyndham failed to remedy known security vulnerabilities, failed to employ reasonable measures to detect unauthorized access, and failed to follow proper incident response procedures.
The FTC and the NIST Cybersecurity Framework urge organizations to contain cybersecurity events and take the appropriate actions necessary to prevent the same or similar attacks in the future. Further, organizations need to communicate about cybersecurity attacks with their internal and external stakeholders.
Finally, the FTC has brought an enforcement action against Oracle based on Oracle’s failure to communicate with its consumers about how to recover from a cybersecurity event.20 The FTC alleged that Oracle knew about major security vulnerabilities in its software yet promised its consumers that installing the software would make their systems more safe and secure. The FTC alleged that Oracle failed to communicate truthfully about what consumers would need to do in order to be protected from similar breaches in the future. According to the FTC, because Oracle left its consumers vulnerable to additional breaches, the organization did not fully recover from the cybersecurity event under the NIST Cybersecurity Framework or the FTC’s standards. The FTC required Oracle to communicate with its consumers through its website, social media, and external parties about how to protect themselves from similar attacks.
Had these organizations followed the security practices emphasized in the NIST Cybersecurity Framework—identify, protect detect, respond to, recover from — the organizations could have reduced the risk of a cybersecurity incident and potential exposure under Section 5 of the FTC Act.
Key Takeaways
-
Even though the NIST Cybersecurity Framework is not a cure-all and does not provide immunity from an FTC action, the FTC still encourages organizations to utilize its processes to improve its risk-based security.
-
If an organization is continuously and concurrently working through the framework’s core functions, it is more likely the organization will have undertaken a reasonable process to secure data and make it less likely that the FTC will come knocking.
-
Both the FTC and the NIST Cybersecurity Framework contemplate that there is no ‘one-size-fits-all’ approach to cybersecurity. However, FTC guidance and its enforcement approach take into account that organizations using the framework are more likely to assess and improve their control over cybersecurity risks, resulting in a higher likelihood the organization has undertaken a “reasonable” process to secure data.
-
At a minimum, businesses should utilize both the NIST Cybersecurity Framework and the FTC’s Start with Security guidance to reasonably address cybersecurity issues, to better protect consumer data, and to be proactive rather than forced to be reactive.
-
And finally, because what is reasonable today may not be reasonable tomorrow in the cybersecurity realm, businesses need to be constantly designing, redesigning, and updating their cybersecurity policies and procedures.
Endnotes
1 See https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc.
2 The NIST Cybersecurity Framework and other industry resources are available at: https://www.nist.gov/cyberframework.
3 See https://www.nist.gov/cyberframework/cybersecurity-framework-faqs-using-framework.
4 Cybersecurity Framework Version 1.0, Executive Summary dated Feb. 12, 2014.
5 15 U.S.C. § 45(a).
6 See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. April 7, 2014).
7 Id. at 612.
8 Id. at 617.
9 Id. at 620-21.
10 FTC v. Wyndham Worldwide Corp., 799 F.3d 236, 255 (3d Cir. 2015).
11 Id. at 255, 259.
12 See FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 620-21 (D.N.J. April 7, 2014).
13 The FTC’s Start with Security guideline and other FTC resources are available at: https://www.ftc.gov/tips-dvice/businesscenter/guidance/start-security-guide-business.
14 Id.
15 See https://www.ftc.gov/enforcement/casesproceedings/032-3221/petco-animal-supplies-inc-th-matter.
16 See https://www.ftc.gov/enforcement/casesproceedings/092-3093/twitter-inc-corporation.
17 See https://www.ftc.gov/enforcement/casesproceedings/122-3077/accretive-health-incmatter.
18 See https://www.ftc.gov/enforcement/casesproceedings/082-3153/dave-busters-incinmatter.
19 See https://www.ftc.gov/enforcement/casesproceedings/1023142-x120032/wyndhamworldwide-corporation.
20 See https://www.ftc.gov/enforcement/casesproceedings/132-3115/oracle-corporationmatter.
