While there is no nationwide cybersecurity program, the Federal Trade Commission has brought more than 50 actions claiming that the cybersecurity practices of a variety of companies in a variety of industries. While these actions have primarily been administrative and resulted in settlements, and the specifics of each order apply only to the company affected, these actions are instructive as to what the FTC expects of cybersecurity programs. A byproduct of the FTC’s actions is a guide to companies to create better privacy and security policies and programs. While these cases don’t necessarily identify how to run “gold-standard” programs, they identify what the FTC expects as minimum standards for efforts to protect data.
The FTC has said that most enforcement actions it has brought involve “basic, fundamental security missteps.” Many are human error, but there are also plenty that show deficiencies in cybersecurity risk assessments and programs. This piece describes baseline guides; companies should consult qualified counsel for specifics. Engaging counsel itself on these issues is a sign to regulators that a company takes cybersecurity seriously. But doing it correctly depends on engaging top legal counsel and experienced advisors early on.
Human Factor. No cybersecurity program is ironclad as long as human error exists and the skills of hackers evolve at the same rate as technology itself. But many cybersecurity breaches are the result of more simple mistakes. The FTC requires “reasonable” efforts, not complete security.
It’s also important to note that cybersecurity solutions are not one-size-fits-all, even for companies within the same industry. Prevention programs depend on the unique circumstances and business practices of each company. Regardless of company or industry, however, a demonstrated commitment to security is required, both to satisfy the government and to protect valuable corporate and customer assets.
FTC and Reasonable Steps. While every situation is unique, “reasonable” cybersecurity plans, and those that take into account the FTC’s actions, should address the following:
- Designating Responsible EmployeesThis is the bedrock of any cybersecurity program. A clear organizational chart of who is responsible for establishing and maintaining security, and who are the dedicated first responders, are important first steps. All employees need to know whom to alert if they suspect hacking or malware. Plans need to be communicated like any other disaster plan.2
- Conducting Risk AnalysisThis is a vital step that that requires informed and thorough review. It requires an interdisciplinary team of IT, public relations, executive management, and legal counsel, both in-house counsel and outside counsel experienced with preventative cybersecurity duties and measures. Understanding which risks must be avoided, which risks can be assumed, and how to mitigate the rest is an essential building block to a meaningful cybersecurity plan.
- Implementing Reasonable SafeguardsThese include procedures, policies, and training. Companies often identify certain “privacy priority” parts of their business, but fail to identify all of the areas in which privacy is implicated. A business may recognize that the credit card information of its customers needs protection, but forgets the importance of protecting employee data. What are perceived as industry standards cannot necessarily be relied upon in a real-time, real-life scenario. Each company’s data policies should be uniquely tailored and take into account the company’s culture, policies, and practices.
- Test the PlanAn untried plan is simply a guess. Testing will show what elements of a cybersecurity plan are working and where there are weaknesses. These provide important feedback, and should a company’s policies and procedures be challenged, show an ongoing interest in cybersecurity and commitment to achieving best practices.
- Overseeing Service ProvidersIt is not enough to engage a data security provider and then put one’s program on autopilot. Service providers need to be monitored and managed. Balancing costs, risks and deterrents is a constant, real-time calculation. Involving legal counsel to ensure a plan meets the FTC’s “reasonableness” standard is a must.
- Engage in Regular Evaluations and UpdatesCybersecurity is a dynamic, ongoing effort. Hackers are constantly changing their business models; we, as their targets, need to do the same. As technology and industry standards evolve, what was considered a reasonable effort 18 months ago may no longer meet that standard. A multidisciplinary team, including legal counsel with experience dealing with scores of company data plans, is the best way to ensure companies keep up with best practices.
Cybersecurity is a multifaceted and ongoing effort. While the steps outlined above, based on FTC guidance, are helpful, they are only the starting point for securing important corporate and personal data. Companies need to make privacy and security a priority and core competence to compete in a world that depends more and more on securing data.