Since the 9/11 attacks, the National Institute of Standards and Technology (NIST) has worked to help government and businesses improve critical technology infrastructure. The NIST Framework for Improving Critical Infrastructure Cybersecurity, released in 2014, outlines resources and processes to help prevent attacks and lower the risks to both organizations and consumers.
On August 31, 2016, the FTC (Federal Trade Commission), which includes a focus on data security in the private sector through civil law enforcement and education among its duties, discussed how the NIST Cybersecurity Framework (discussed in my 2014 article) relates to the FTC’s mission and enforcement actions.
Without going so far as stating that compliance with the Framework would be compliance with the FTC requirements, the FTC did state that compliance with the processes outlined in the Framework would have resulted in better data protection in many of the FTC enforcement actions, implying that the result would have been no enforcement action or less penalties.
Perceived lapses that the FTC has challenged through law enforcement actions often correspond to the Framework’s core functions. The core functions of the Framework and a brief description of some FTC challenges are set out below:
- Identify – develop an understanding of how data flow and storage work to manage and analyze risk to systems, data and assets, including pricing and customer information and other company confidential and proprietary information. The FTC has brought cases based on the allegation that companies have failed to take appropriate action to assess their security risks and develop plans to address them (CVS Caremark Corporation and Petco Animal Supplies).
- Protect – develop and implement safeguards to help limit the impact of an event, including requiring security and standards from vendors and implementing policies and procedures for employees. Many FTC cases turn on companies’ failure to implement reasonable data security practices described in the “Protect” function (Twitter, Inc. and Accretive Health, Inc.).
- Detect – develop and implement procedures to identify an event, including requiring vendors to detect and expeditiously provide notice of an event. The FTC stresses that companies have processes in place to detect intrusions (including any occurring through vendors) and have brought cases based on the failure to have the processes in place (Dave & Buster’s, Inc. and Franklin’s Budget Car Sales, Inc.).
- Respond – prepare a plan and procedures to take action in the case of an event, whether internal or external. FTC cases have challenged companies’ failures to maintain and execute adequate response processes and procedures (Wyndham Worldwide Corporation and ASUSTeK Computer, Inc.).
- Recover – have a plan in place to restore capabilities impaired due to an event to reduce the impact and losses. The FTC believes that such plans should be in place and consumer interests should factor in the plan (Oracle Corporation).
The bottom line is that doing the work to follow the Framework model can lower a company’s risk. Even if a data security incident occurs, simply going through the process of developing and implementing an appropriate plan may prevent some of the liability and possible penalties. As a bonus, the practices may prevent some breaches from occurring at all.