The Federal Trade Commission (FTC) recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 by the National Institute of Standards and Technology (NIST) and strongly endorsed by the White House.
The FTC’s recent blog post on “The NIST Cybersecurity Framework and the FTC” frames its discussion around the frequently asked question, “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”
The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist. Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
The FTC has signaled its data security expectations through 60+ data security enforcement actions under Section 5, as well as through guidance materials. Recent enforcement actions include an ongoing case against LabMD and the Third Circuit’s Wyndham decision, which affirmed the FTC’s data security authority under Section 5, as well as a settlement with ASUSTek focused on addressing known security vulnerabilities. Key guidance materials include two 2015 publications: “Start with Security: A Guide for Business,” which summarizes lessons learned from approximately fifty of the FTC’s data security enforcement actions, and “Careful Connections: Building Security in the Internet of Things,” which accompanies the FTC’s seminal report on the “Internet of Things: Privacy & Security in a Connected World.” The FTC’s new blog post summarizes the agency’s approach to data security as follows:
From the outset, the FTC has recognized that there is no such thing as perfect security, and that security is a continuing process of detecting risks and adjusting one’s security program and defenses. For that reason, the touchstone of the FTC’s approach to data security has been reasonableness—that is, a company’s data security measures must be reasonable in light of the volume and sensitivity of information the company holds, the size and complexity of the company’s operations, the cost of the tools that are available to address vulnerabilities, and other factors. Moreover, the FTC’s cases focus on whether the company has undertaken a reasonable process to secure data.
The blog post provides background on the NIST Framework and the FTC’s approach under Section 5, then summarizes FTC enforcement actions against companies for practices that allegedly did not comply with the Framework’s Core functions. The blog post lists a total of thirty-eight data security practices identified in FTC enforcement actions that align with Framework action steps.
Identify. The FTC highlights enforcement actions alleging companies’ failure to implement information security policies and procedures (CVS Caremark Corporation; Petco Animal Supplies), as well as to have a process for receiving, addressing, or monitoring reports about security vulnerabilities (HTC America, Inc.; TRENDnet, Inc.).
Protect. The FTC highlights enforcement actions alleging companies’ failure to limit administrative access to systems and information (Twitter, Inc.), as well as to protect data in transit and manage assets throughout their lifecycle (Accretive Health, Inc.; Cbr Systems, Inc.).
Detect. The FTC highlights enforcement actions alleging companies’ failure to have processes in place to detect intrusions (Dave & Buster’s, Inc.), including monitoring outgoing network transmissions for unauthorized disclosures of personal information (Franklin’s Budget Car Sales).
Respond. The FTC highlights enforcement actions alleging companies’ failure to develop and implement incident response procedures (Wyndham Worldwide Corporation), as well as to voluntarily share security information with external stakeholders to achieve broader awareness of cybersecurity threats (ASUSTeK Computer, Inc.).
Recover. For the fifth Core function, the FTC notes how its consent orders emphasize “how consumer interests should factor into a company’s recovery plan”—but does not identify any enforcement actions focused on violations of Recover action steps.
The FTC concludes that use of the Framework can help companies better protect personal information. As the FTC notes, the Framework “can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders.” The FTC recommends companies consult the Start with Security guidance alongside the Framework to enhance their data security posture and reduce cybersecurity risks.