A closer look at several high-profile security lapses, and understanding what is a reasonable cyber security enforcement standard.
Understanding the FTC’s Role in the investigation and enforcement of cyber attacks
In a previous blog, we discussed the FTC and its role in enforcing various data privacy policies. In this article, we’ll take a closer look at how it developed into the main cyber enforcement body, how it assesses liability, and a sample of court proceeding filed – all in an effort to protect consumers.
Just like the popular television show, “Law and Order,” the FTC acts like the district attorney to protect consumers’ personal identifiable information (PII) and take the necessary enforcement measures to ensure that consumer rights are protected as they reveal personal details in order to take advantage of the many benefits of products available to them.
When the FTC was created in 1914, its purpose was to prevent unfair methods of competition. Over the years, Congress passed additional laws to give the agency even greater authority to police anticompetitive practices.
Today, the FTC has such a broad level of authority that it is able to address a wide array of practices affecting consumers. These include a variety of sector-specific laws, including:
- The Truth in Lending Act
- The Can-Spam Act
- The Children’s Online Privacy Protection Act
- The Equal Credit Opportunity Act
- The Fair Debt Collection Practices Act
- The Telemarketing and Consumer Fraud and Abuse Prevention Act
Assessment and judgment based on reasonable security standards
Also, like in “Law and Order,” the FTC is the law enforcement body, like the police, when investigating and assessing the organization’s role and responsibility in a data breach, and more specifically, whether the organization applied the “commercially reasonable standard” to protect consumers’ PII data.
One good thing is that, for those organizations under investigation, for a data breach or data privacy violation, the fact that the term “commercially reasonable” is used is positive since it takes into consideration the business that they are in and the type of data that is collected and stored. For example, a small retail store that requires the capture of credit card numbers to process purchases will not be looked at in the same manner as a financial institution which has a consumer’s full PII data on file – social security numbers, credit card numbers, contact information, etc.
Unfortunately, however, there is not an agreed-upon definition to explain what “reasonable standards” means, which leaves a lot up to interpretation. Since there is not a hard description about exactly what steps must be taken in order to meet this standard. Instead, organizations must look toward what the FTC (or the courts) have listed as the unreasonable practices, which include:
- Not preventing access to the network, or restricting access to those with a need to know
- Not monitoring the network to detect questionable activities or unauthorized users
- Ignoring network warning signs, intrusion alerts, or other red flags
- Violating industry data privacy regulations
- Not maintaining and using up-to-date antivirus software, or using systems to protect against malware
- Not having a written data breach response plan
- Not conducting employee training on data security
This leaves organizations to make the assumption, that if they cover all of the bases, then they have taken the appropriate levels of reasonable effort. Therefore, they are not responsible, or at worst, minimally responsible, for any breach.
One of the precedents that the FTC has established is the idea that the liability of loss extends to almost everyone that does business, and that all behavior is subject to scrutiny – similar to an “accessory” in the data breach. Organizations may be held legally responsible for privacy violations as a result of a vendor’s unsatisfactory security practices. This means that organizations need to take great care when selecting vendors. Specifically, they should carefully consider such items as:
- Do prospective vendors have the same or better security standards as you?
- Do you fully understand how they are storing and handling your data?
- Can you require that they follow industry best practices to safeguard your sensitive data?
- Do they have cyber-insurance? Will your organization add your organization to their policy?
Authority extends to judge and jury
We now deviate from the “Law and Order” analogy by pointing out that the FTC also acts as the judge and jury when it comes to handing down punishments. Since 2002, the FTC has brought over 60 cases against companies that have engaged in unfair or deceptive practices that, in the FTC’s view, failed to adequately protect consumers’ personal data.
Some of 2017’s most significant cyber enforcement examples included the following:
Uber’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information stored with a third-party cloud provider. Two clear violations were cited:
- A single key was used, providing full administrative access to all data
- Sensitive consumer information was stored in plain readable text
As a result, an intruder successfully accessed more than 10,000 Uber driver’s names and driver’s license numbers.
Lenovo sold hundreds of thousands of laptops with a preinstalled software program called VisualDiscovery. It turned out that this application did not adequately verify that a website’s digital certificates were valid before replacing them and used the same password instead of creating unique passwords for each laptop.
This meant that consumers’ browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates. It also meant that potential attackers could intercept consumers’ electronic communications with any website, including those with financial institutions and medical providers, just by cracking the pre-installed password.
Inadequate security measures left the company’s wireless routers and internet cameras vulnerable to hackers. According to the complaint, D-Link promoted the security of its routers on its website but failed to take adequate steps to address well known, easily preventable security flaws.
Yet it’s important to note that the FTC does not have absolute powers. Many organizations are challenging the FTC, and many are winning their cases.
For example, it’s possible that appellate courts’ rulings can essentially overturn the FTC’s cyber enforcement orders. In these examples, the courts assume that the FTC has the authority to regulate security practices, but that FTC’s orders create unenforceable standards for the future. These findings won’t take the FTC out of cyber enforcement but will lead to more challenges to its authority. We’ll take a closer look at these examples – and their outcomes – in a future blog article.
CSPi’s security solutions are optimized to protect you from noncompliance fines
CSPi offers a comprehensive portfolio of security solutions to conquer the complexities of end-to-end data protection and to avoid the financial impact of data breaches. In order to remove the risk of noncompliance fines, organizations must make the data impenetrable for a highly focused breach response. To do this there must be a greater emphasis on automating processes to alleviate as much manual effort and uncertainty as possible. Interested in learning more about what makes CSPi solutions different? Download our white paper, “How to Secure DevOps Across Any Environment,” or contact us today.