There have been several significant developments in the area of cybersecurity over the past few weeks that warrant special attention because of their likely impact on businesses. Blank Rome’s Cybersecurity & Data Privacy Group closely monitors developments in the area of cyber and data security and is prepared to assist our clients in responding to the evolving cyber threat.
FTC Prevails in Fight to Regulate Cybersecurity Practices
On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision in FTC v. Wyndham Worldwide Corporation, et al., rejecting a direct challenge to the Federal Trade Commission’s (FTC) authority to police corporate cybersecurity practices. In light of this decision, companies seeking to avoid a run-in with the FTC would be wise to retain cybersecurity professionals to review their cybersecurity practices in light of all relevant FTC rulings and statements.
For some time, the FTC has argued it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” For its part, Wyndham argued that Congress, not the FTC, is the proper body to regulate cybersecurity and that Congress alone has authority over data security standards. Wyndham also argued that the FTC has failed to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations. Wyndham argued that businesses cannot be expected to comply with the unpublished regulations.
Rejecting a narrow interpretation of the FTC’s Section 5 powers, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to the challenge to the lack of FTC notice, after analyzing the state of the law, the court concluded that the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that “[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”
While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity. A more complete discussion of the FTC v. Wyndham Worldwide Corporation, decision can be found on our blog at Cybersecuritylawwatch.com.
Joint Antitrust Policy Statement on Sharing Cybersecurity Information
The Federal Trade Commission (FTC) and the Department of Justice (DOJ) recently issued a policy statement on the sharing of cyber-security information that “makes clear that properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.”
The policy statement is intended to address a long recognized roadblock to the aspirational goal of combating cyber threats by encouraging private entities to share confidential threat awareness information. To date, this objective has been thwarted by the realistic concern that the sharing of non-public information between competitors could violate antitrust laws or trigger an antitrust review.
FTC Chairwoman Ramirez notes that “[t]his statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.” Sharing this viewpoint, Deputy Attorney General James M. Cole recognized that “[p]rivate parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”
Although a step in the right direction, the policy statement is unlikely to materially impact the practices of many businesses because of its lack of specificity. Rather than provide a clear set of guidelines, the policy is merely an analytical framework to be used by the antitrust agencies to determine if the sharing of information crosses the line from permissible to impermissible. For example, the policy notes that “[t]he Agencies do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing” and their “primary concern in this context is that the sharing of competitively sensitive information – such as recent, current, and future prices, cost data, or output levels… .”
In the absence of a uniform legislative solution by Congress, businesses should view the policy statement’s invitation to share cyber threat information with caution. Given the number of employees at the FTC and DOJ, their varying personalities, individual agendas and autonomy, the subjective “analytical framework” will most likely not be applied in a uniform or predictive fashion. A copy of the policy can be found on our blog at Cybersecuritylawwatch.com.
The “Heartbleed” Bug: More Pervasive and Widespread
A major security vulnerability dubbed “Heartbleed” was disclosed Monday night, and it has severe implications for the entire web, as well as corporate networks. Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is used by most web sites and network equipment manufacturers to convert sensitive information into a string of unrecognizable characters (i.e. encryption). Heartbleed exploits a flaw in OpenSSL to access private data such as usernames, passwords, and credit card numbers. OpenSSL is used by at least 66 percent of all servers on the internet, including popular sites such as Google, Yahoo, Amazon, Netflix and Tumbler.
Originally thought to primarily impact consumers, a recent announcement by Cisco Systems and Juniper Networks, Inc. exposes Heartbleed as a major threat to corporate networks. The two largest manufacturers of network equipment stated that some of their products contain the Heartbleed bug. With the bug located on the hardware of many corporate servers, traditional defenses such as firewalls and virtual private networks may be ineffective. Hackers may now be able to exploit the flaw with hardware to infiltrate the networks and capture usernames, passwords and other sensitive information stored on corporate networks.
Many web sites and equipment manufacturers have begun implementing patches/fixes to eradicate the Heartbleed bug. For their part, companies should proactively inventory their network equipment to see if it potentially contains Heartbleed and to work with manufacturers to install software patches as soon as they are available. This is a rapidly developing issue that should be monitored closely.