Ever since its groundbreaking settlement in the BJ's Wholesale case, which defined and mandated reasonable and appropriate security practices for companies in all industries, the Federal Trade Commission (FTC) has led efforts to move corporate America toward more effective information security practices.
Now, with its recently published guidance on information security, called "Protecting Personal Information: A Guide for Business," the FTC has provided a useful, efficient approach for companies to follow in developing an appropriate information security program. This guidance should be reviewed by any entity that maintains personal information about employees or customers.
BJ's Wholesale Case
The FTC's settlement with BJ's Wholesale Club had the effect of making a security program a national requirement for any company that holds personal information, regardless of industry or specific statutory or regulatory requirements. See, In the Matter of BJ's Wholesale Club, Inc., Docket No. C-4148 (Sept. 23, 2005). To the FTC, a failure to develop and implement an effective information security program constitutes an unfair trade practice under the Federal Trade Commission Act, independent of any more precise requirements.
In the BJ's case, the FTC took enforcement action even though BJ's apparently made no representations whatsoever to its customers concerning security protections. Instead, the FTC alleged that BJ's information security practices, taken together, did not provide "reasonable security for sensitive customer information." Specifically, the FTC alleged that BJ's violated the FTC Act because it:
- Failed to encrypt consumer information when it was transmitted or stored on computers in BJ's stores;
- Created unnecessary risks to the information by storing it for up to 30 days, in violation of bank security rules, even when it no longer needed the information;
- Stored the information in files that could be accessed using commonly known default user IDs and passwords;
- Failed to use readily available security measures to prevent unauthorized wireless connections to its networks; and
- Failed to use measures sufficient to detect unauthorized access to the networks or to conduct security investigations.
These problematic practices apparently came to light because of a large number of false or fraudulent charges posted to BJ's customer accounts, which the FTC determined to have been derived from "hacker" access to this poorly secured information (including through in-store wireless networks).
BJ's settled the FTC allegations, without admitting any wrongdoing. This settlement included not only a requirement to implement "a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected from or about consumers," but also required the company to have an independent third-party assessment of this program, every other year for the next 20 years, subject to ongoing FTC oversight.
The reasonable security program -- as mandated by the FTC -- must include the following components:
- The designation of an employee (or employees) to coordinate and be accountable for the information security program;
- The identification of "material internal and external" risks to the security of this personal information (with this risk assessment to include employee training and management; information systems; and prevention, detection and response to attacks, intrusions or other system failures);
- The design and implementation of reasonable safeguards to control the risks identified in this risk assessment; and
- The evaluation and adjustment of the program in light of the results of testing and ongoing monitoring of the program, material changes to the company's operations or business arrangements or "any other" circumstances that may have a material impact on the effectiveness of the security program.
The elements of this settlement have become the minimum "standard" for a reasonable and effective security program -- across all industries.
Guidance Announced at IAPP Summit
Following upon the BJ's case and various other enforcement efforts, FTC Chairman Deborah Majoras announced the FTC's new information security guidance in her keynote speech at the recent International Association of Privacy Professionals (IAPP) Summit in Washington (where she received the Privacy Leadership Award from IAPP). Majoras focused her remarks on information security. While describing the FTC's enforcement efforts, she also made clear that "our standard is not perfection -- our standard is reasonableness." Moreover, she reiterated that, where the FTC has taken enforcement action, to date, "none of our cases has been a close call. Simple, readily available and inexpensive fixes were available."
Majoras used her presentation at the IAPP Summit as the vehicle to announce the FTC's release of this important guidance. The guide, "Protecting Personal Information: A Guide for Business," is available at www.ftc.gov/infosecurity. It focuses on "five simple phrases" characterizing steps that are designed to provide effective means of identifying and responding to security concerns. The five steps are:
- TAKE STOCK. Know what personal information you have in your files and on your computers.
- SCALE DOWN. Keep only what you need for business.
- LOCK IT. Protect the information you keep.
- PITCH IT. Properly dispose of what you no longer need.
- PLAN AHEAD. Create a plan to respond to security incidents.
(Interested companies may also wish to review a somewhat similar set of practical steps set out by the Better Business Bureau in its monograph "Security and Privacy Made Simpler," available at http://www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf).
The FTC guidance provides significant detail on what a reasonable and appropriate security program should be. For any company, directly regulated by law or not, this guide is an essential resource. At this point, while most security rules are based on the concept of reasonableness, this guidance provides an important baseline for any company trying to meet its information security obligations. Moreover, companies should be reminded by this guidance of the importance of conducting a comprehensive information assessment, to determine the categories, volume and flow of information coming into and leaving a company. Understanding and analyzing these data flows is a critical first step for any effective privacy and security compliance efforts. (Such privacy and security assessments are a critical component of Wiley Rein's work with companies engaged in managing privacy and security issues.)
The guidance also is important in focusing on security issues that extend beyond protecting your computer systems from outside attack. It makes clear that information can be obtained through a variety of vehicles, and that information is stored across companies -- on paper, electronically and in a variety of formats. It also reminds companies that not all data is created equal -- and that special emphasis should be placed on identifying and restricting the use and disclosure of particularly sensitive data, such as Social Security numbers and credit card information.
Beyond these assessment efforts, the guidance stresses the "human" element of information security -- both in understanding how information flows within a company (which often can be determined only by talking to the people who work with information) and the importance of effective awareness and training. Information security is an area where basic steps to protect data can be taken by almost every employee in a company -- and these steps can make a large difference in the protection of information. Companies also should note the guidance's security suggestions on areas where breaches have been particularly extensive -- such as laptops and other portable or disposal media. This guidance highlights the need for ongoing vigilance on security, to keep abreast of a constantly changing environment.
In addition, the guidance may provide useful support for companies trying to move responsibility for an overall information security program outside of a corporate information technology function. In particular, the FTC guidance makes clear that effective information security is a broader corporate function, implicating ongoing business processes and employee behavior (including a wide variety of information collected and maintained on paper), typically outside the domain of information technology offices.
Finally, we echo the FTC's statements on the importance of planning for security incidents. The FTC outlines important steps for investigating and mitigating security breaches. It is our view that these steps need to be developed and enabled before a breach happens -- so that the critical steps are undertaken in a comprehensive and efficient manner in the event of a breach. The heat of the moment following a security breach is not the best time to be trying to figure out if a company has identified all the appropriate investigative and mitigation steps. Accordingly, we support and endorse the FTC's suggestions on developing a security incident plan in advance of specific problems. (Wiley Rein works with companies in all industries in developing appropriate security breach mitigation plans -- please let us know if we can be of assistance to your company in this area).