Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.
What should companies do when ransomware hits? The FBI says: (a) report it to law enforcement and (b) do not pay the ransom. Given the recent onslaught in ransomware attacks—such as a 2016 variant that compromised an estimated 100,000 computers a day—companies should consider how their incident response plans account for decision-making in response to ransomware, and include this scenario in their next (or an interim) tabletop simulation.
FBI Public Service Announcement
In a September 15 announcement, the FBI urged companies to come forward and report ransomware attacks to law enforcement. The FBI acknowledged that companies may hesitate to contact law enforcement for a variety of reasons: uncertainly as to whether a specific attack warrants law enforcement attention, fear of adverse reputational impact or even embarrassment, or a belief that reporting is unnecessary where a ransom has been paid or data back-ups have restored services.
Notwithstanding these dynamics, the FBI is calling on companies to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases.”
The FBI also offered some best practices that companies should consider incorporating into their cybersecurity program and/or their disaster recovery and business continuity plans. These recommendations include: regular backups that are verified, securing backups, implementation of anti-virus and anti-malware solutions, increased employee awareness training, institution of principle of least privilege policies, and more. READ MORE
Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.
Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.
Last week, the Federal Trade Commission convened a ransomware workshop to discuss the rising epidemic of attacks against U.S. businesses and individuals. In a ransomware attack, a malicious actor tricks a user into downloading malware that encrypts all of their files, and then demands payment in exchange for the decryption key. In the current climate, ransomware attacks appear to be a question of “when,” not “if,” especially given The Department of Homeland Security’s July report that there have been an average of 4,000 ransomware attacks per day since January 1, 2016.
Last week, the FTC published a blog post titled The NIST Cybersecurity Framework and the FTC, in which the agency issued a nuanced answer to an oft-asked question: “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”
The short answer: “No.” On a more positive note, the FTC acknowledges that the NIST Cybersecurity Framework is aligned with the agency’s long-standing approach to data security and that it may serve as a useful tool for companies developing and evaluating a data security program. The FTC blog post reiterates, yet again, that there is no magic bullet to establish adequate data security. Ultimately, what is required is careful, detail-oriented design, implementation, and enforcement of sound policies and practices to mitigate both the impact of cybersecurity incidents and of serious regulatory scrutiny.
NIST Cybersecurity Framework: Not a Standard or a Checklist
The Department of Commerce’s National Institute of Standards and Technology (NIST) issued the NIST Cybersecurity Framework in February 2014. The Framework organizes security around a“Core,” consisting of five (5) functions – Identify, Protect, Detect, Respond and Recover – that represent the high-level activities that help organizations make sound decisions around risk/threat management and forward improvement. Each function maps to key categories of desired outcomes (e.g., “Asset Management,” “Access Control”). Each category then expands to a series of more specific outcomes and technical/management activities that are, in turn, tied to dozens of “informative references,” such as ISO/IEC, ISA and COBIT, which are well established implementation standards. The Framework doesn’t include specific practices or requirements. Instead, it’s meant to facilitate an iterative process that involves “detecting risks and constantly adjusting one’s security program and defenses.”
As the FTC notes, the NIST Framework “is not, and isn’t intended to be, a standard or checklist.” To bluntly answer the million-dollar question: “there’s really no such thing as ‘complying with the Framework.’’’ The Framework provides guidance on process. It does not proscribe the specific practices that must be implemented. Most importantly, the FTC correctly observes that there is “no one-size-fits-all approach,” nor the possibility of achieving “perfect security.” Put simply, the framework is just that: a framework for understanding the current state of an organization’s cybersecurity program and preparing a risk-based approach to improving maturity.
FTC’s Enforcement Record Aligned With NIST Framework
The FTC blog post highlights that NIST’s focus on risk assessment and mitigation are “fully consistent” with concept of “reasonableness” embedded in the agency’s Section 5 enforcement record. The post lists numerous examples from the FTC’s list of 60+ cybersecurity actions to date where the deficient security practices underlying the FTC complaint align squarely with the Framework’s Core functions:
- Identify: failures to maintain processes for receiving, addressing, or monitoring reports about security vulnerabilities;
- Protect: providing broad employee administrative access to data systems; failure to secure sensitive data in-transit; and to appropriately manage removal, transfer or disposition of data;
- Detect: failures to use processes to identify unauthorized intrusions to networks and systems(i.e., monitoring), and unauthorized external disclosures of personal information;
- Respond: repeated failures to enhance incident response procedures despite multiple data breaches, and failure to notify consumers regarding known vulnerabilities associated with products
- Recover: consent orders that include requirements to proactively notify consumers about security vulnerabilities and remediation measures, and to work with security vendors as part of sustaining secure products/services.
- Companies must continue to operate without specific FTC security standards.
Nothing in the FTC’s recent post points to specific, articulated security practices that organizations can employ to avoid enforcement under the FTC’s Section 5 authority to regulate “unfair practices.” In other words, there are no hard and fast rules on what is (or is not) required. If anything, the post makes the opposite point: each company has unique risks that call for a fact-specific assessment of “reasonable” data security measures in light of sensitivity of the data the company holds, the size and complexity of the company’s operations, known threats in the industry, the availability and cost of security tools, and other factors that make up an organization’s risk profile. Accordingly, companies must continue to synthesize the myriad regulatory consent decrees, frameworks, guidelines and litigated outcomes that collectively outline the contours of reasonableness in cybersecurity to understand what the FTC expects and what they deem as (un)reasonable.
For example, prior FTC enforcement actions establish mileposts for minimally necessary security measures (e.g., firewalls, encryption, access controls, vendor management, and incident response planning) that companies should implement and test for efficacy. Companies that go without them risk heavy investigative and enforcement scrutiny by regulators and plaintiffs alike. In addition, the FTC has made clear that cybersecurity must be a dynamic (not static) process that includes measurable adaptation and improvement. What is a defensible posture today, may not be so tomorrow. Information security programs (including technical security tools) and incident response plans that are not adaptable (or adapted) to changing risk landscapes, attack vectors, third-party interplays, and other critical mesh points unique to each organization will not aid a company that comes under FTC scrutiny. Hence, the FTC’s emphasis on the NIST Framework as a process-oriented vehicle.
- While the FTC’s blog post focuses on security, its privacy mandate is equally important.
- Companies must still address significant devils-in-the-details.
Though the Framework eschews specific security procedures in favor of providing companies the flexibility design a “reasonable” data security program, it does not eliminate a company’s responsibility for compliance with other regimes. Even if a company uses the Framework to organize its approach to security, coordinating these various obligations and priorities is not made any less complicated or intense.
For example, companies that accept or process or provide technology in relation to payment card data must comply with specified Payment Card Industry (PCI) rules, including specific data security standards (PCI DSS) and implementation protocols. Covered entities and business associates under HIPAA and the Hi-Tech Act must comply with both specific and ‘flexible’ privacy, security and incident response rules issued by the Dept. of Health and Human Services. Financial institutions regulated by Gramm Leach Bliley, or under the purview of regulatory entities like the CFPB, FINRA, FDIC, OCC, and state analog agencies (e.g., NY DFS, California DBO), have specific industry tools such as the FFIEC’s cybersecurity assessment tool that is tailored for the financial space and expected to be used in audits and examinations. Companies operating in California may now be required to meet the Center for Internet Security’s Critical Security Controls as a minimum floor for security standards.  In addition, companies with B2B or sophisticated B2C relationships often have hundreds (often thousands) of contractual agreements that contain specified, and differing, security implementation requirements, as well as obligations in response to security incidents and data breaches – which are critical to operationalize. Finally, companies that operate in Europe must ensure that Framework activities are tightly harmonized with the EU data protection rules, including the oncoming General Data Protection Regulation (GDPR).
Remember that cybersecurity is about risk management, not risk avoidance. There is no such thing as 100% secure. A company that suffers a data breach may very well have been acting “reasonably,” for FTC enforcement purposes. The FTC’s cybersecurity enforcement history, guidance documents and staff reports (not to mention rules and guidance from an alphabet soup of other federal agencies), statutory requirements, and contractual obligations may all dictate data security minimums or best practices, and every regulator and security expert in the industry has a proposed set of best practices and guidelines to follow. The NIST Cybersecurity Framework presents a helpful tool by which to organize a compliance program that is adaptable and scalable, but ultimately, a company’s data security posture will be judged on the reasonableness of its implemented security practices, regardless of how the company developed its security program. A company will be best served by taking a careful, reasoned approach to cybersecurity preparedness, calibrating its security processes and controls to its own unique risk posture and industry norms, and always regarding cybersecurity as an ongoing process and priority.
 The Framework was prepared in response to an Executive Order calling for a risk-based methodology that could help critical infrastructure entities effectively identify, respond to, and recover from, cybersecurity risks. Over its short existence, it has become the guidepost for organizations across sectors well beyond critical infrastructure – regardless of their size, risk profile or regulated status, whether publicly traded or privately held.
 The FTC has publicly stated as follows regarding PCI compliance: “Certifications [of PCI compliance] alone will not suffice [to meet the obligations of providing adequate security safeguards], if we find evidence of security failures that put consumer information at risk. The injunctive relief we obtained in the Wyndham case corroborates our longstanding view that PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections…[T]he existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.”
 Companies operating in California must contend with Attorney General Kamela Harris’ recent statement in California’s 2015 Data Breach Report that, “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
Last week, fashion retailer Lord & Taylor reached a settlement with the FTC over its allegedly deceptive advertising campaign, the first such action since the FTC released its Enforcement Policy Statement on Deceptively Formatted Advertisements and its companion guidance, Native Advertising: A Guide for Businesses, in December 2015. Native Advertising is clearly on the FTC’s 2016 enforcement agenda.
On January 5, 2015, the Federal Trade Commission (FTC) entered into a consent order with dental software manufacturer Henry Schein Practice Solutions, Inc. (“Schein”) in connection with allegations that Schein had made misleading security-related representations about its software. The consent order underscores that while security-enhanced product features are in high demand, companies must be careful to avoid unfair or deceptive marketing of such features.
Following the Third Circuit’s ruling upholding the FTC’s authority to regulate unfair and deceptive cybersecurity practices under Section 5 of the FTC Act, Wyndham Worldwide Corporation and the FTC have agreed to settle. This marks the end to a hotly-contested and closely-watched case at the cross-roads of data security and regulatory enforcement.
As reported in our previous posts on this topic, Wyndham experienced three breaches of its systems in 2008 and 2009 resulting in the exposure of approximately 619,000 consumers’ credit card numbers. The FTC initiated an enforcement action in 2012 alleging that Wyndham engaged in unfair and deceptive cybersecurity practices in violation of Section 5 of the FTC Act. The FTC asserted that Wyndham’s cybersecurity practices were deficient in myriad ways that placed consumer data at risk of theft, for example, by storing payment card information in clear text, using weak and default passwords across networks, failing to install or misconfiguring firewalls, failing to adequately restrict vendor access to corporate networks, and failing to follow appropriate incident response procedures after successive cyberattacks.
On November 13, 2015, the Federal Trade Commission and the Federal Communications Commission entered into a Memorandum of Understanding to address coordination of consumer protection actions by each agency. Following a wave of what observers perceive as a turf battle between the FTC and FCC (namely the reclassification of broadband internet access services as a common carrier service outside the FTC’s jurisdiction), and a dramatic increase in FCC data security regulatory enforcement actions, the MOU suggests that the FTC and FCC are in fact serious about cooperation and collaboration, especially on data security issues. Although organizations have better transparency and predictability in the enforcement landscape, they should also anticipate more sophisticated investigations based on richer data and improved investigative techniques.
On Monday, the Third Circuit issued a highly anticipated opinion affirming the Federal Trade Commission’s authority to regulate “unfair” cybersecurity practices under Section 5 of the FTC Act. In allowing the data breach action against Wyndham Worldwide Corporation to proceed, the Court held that Wyndham was “not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.” This ruling confirms what many practitioners already know: companies must be particularly attentive to designing and updating policies and programs that not only consider the status quo patchwork of cybersecurity rules and regulations, but that also adapt to the myriad regulatory consent decrees, frameworks, and guidelines that outline the contours of reasonableness in the context of cybersecurity.