On June 30th, the Federal Trade Commission issued data security “guidance” for business as part of its “Start with Security” initiative. According to the FTC, its new guidance is drawn from “lessons learned from the more than 50 law enforcement actions the FTC has announced so far” – with corresponding settlements – against private businesses for alleged lax data security practices.
The FTC’s new “guidance” is certainly useful, identifying potential vulnerabilities and detailing general protective measures that businesses can take to help protect themselves and the personal identifying, health, and financial information entrusted to them by employees, consumers and business partners.
But it also begs a rather obvious question – does the FTC intend to use its own guidance going forward as a benchmark against which it will judge the data security practices of businesses in enforcement actions? Of course it will, so the FTC’s “Start with Security” initiative is not so much “guidance” as an end run on legitimate legislative and regulatory processes. And that should be concerning to businesses large and small.
The great irony in all of this is that the federal government has in at least several high-profile instances failed to adhere to even the most basic elements of the FTC’s data security “guidance.” The widely-reported Office of Personnel Management hacks offer a timely (and eye-opening) comparator against several of the FTC’s key data security “guidance” principles:
Click here to view table.
While the FTC continues to step up its cyber security enforcement efforts against private businesses that suffer damaging data breaches, there are no similar signs of increased accountability within the federal government itself. Despite calls from elected officials from both parties for OPM Director Katherine Archuleta and senior members of her staff to resign, OPM is content with the status quo and continues to use KeyPoint to conduct its personnel investigations for federal employees.
The American Federation of Government Employees, AFL-CIO, has filed a class action lawsuit against OPM, Director Archuleta, OPM’s CIO and KeyPoint Government Solutions in the U.S.D.C. for the District of Columbia alleging violations of the Privacy Act of 1974, the Administrative Procedure Act, and negligence, but commentators have already begun to question whether the plaintiffs will be able to establish cognizable damages to support their claims where it appears the purpose of the hacks was to commit state-sponsored cyberespionage, rather than identity theft for financial gain.
The continuing revelations about what went wrong at OPM highlight the widening disparity between the federal government’s cyber security expectations and demands from private businesses versus the glaring lack of cyber-accountability it has for years tolerated (without any meaningful change) within its own agencies. All of which brings to mind a certain Billy Joel album cover that is rather fitting…