For companies increasingly attuned to regulators’ cyber-security regime, John Krebs, of the Federal Trade Commission’s division of privacy and identity protection, puts things in perspective.
“Just because you were breached does not mean your security was unreasonable or a violation of the FTC Act,” he says. A breach does not automatically mean liability if security measures and the subsequent response are “reasonable.”
That word reasonable, however… therein lies the rub.
Myriad cyber-security frameworks, regulations, and laws converge on the idea that companies must take “reasonable” measures to protect their data. So does that mean in practical terms? Where is the line drawn between the reasonable and unreasonable?
That question—one that may not have an easy answer—was on the minds of attendees at a conference held in Boston recently by the Advanced Cyber Security Center, a non-profit consortium of companies, government representatives, and academics addressing cyber-threats.
To bring clarity to the “reasonable” dilemma, the FTC recently boiled into 50 of its cyber-security enforcement actions into a slim guide for businesses, “Start with Security.” Among the crucial steps: control access to data security; segment your network and monitor who’s trying to get in and out; secure remote access; apply sound security practices when developing new products; make sure service providers implement reasonable security measures (there’s that word again!); and secure paper, physical media, and devices.
Assessing a company’s cyber-preparedness through the lens of reasonableness doesn’t have to be an overly technical exercise, said Gus Coldebella, a principal at law firm Fish and Richardson and former acting general counsel for the U.S Homeland Security Department. He frets that companies may “over-invest in the personally identifiable information,” focusing on that data that resides on networks to the exclusion of others that would be even more significant and damaging in the event of a breach—trade secrets, for example, or high-level communications (ask any Sony executive about that one), or your company’s communications with the government.
Coldebella also expressed his concerns about how regulators, notably the FTC, insist on a reasonability standard without having clear regulations on the books. “When you are a regulator and you are going to bring enforcement actions, settle cases, and sometimes litigate them, it would help the regulated entities to actually have regulations that say these are the standards you are going to be held to,” he said. “The lessons learned from those 50 cases are very instructive, but if you are going to keep bringing actions in this area, why don’t you tell us what standard you are going to be using?”
The reasonableness standard the FTC and Securities and Exchange Commission rely upon is “subject to broad and wide interpretation,” Coldabella added, allowing enforcement without matching regulation.
Krebs conceded that the lack of specific rulemaking at his agency is an issue for the business community, but stressed the importance of not over-thinking cyber-security obligations.
“Oftentimes, companies know best what they need and what they should be doing. You are the ones who know your network and whether segmentation is necessary and appropriate, how it should be done, what access controls you need, and what is and isn’t going to work.”
Gus Coldebella, Principal, Fish and Richardson
“All the different standards and frameworks are all very similar, even NIST [National Institute of Standards and Technology], which is dealing with critical infrastructure,” he said. “You need to look at it in the context of your company and where you fit in, because not everything is going to be necessary and appropriate. Oftentimes, companies know best what they need and what they should be doing. You are the ones who know your network and whether segmentation is necessary and appropriate, how it should be done, what access controls you need, and what is and isn’t going to work.”
The advice from Deborah Hurley, a security consultant and fellow at Harvard University, is that a reasonable approach is focused as much on people as technology. “The whole ‘cyber’ thing clouds people’s way of thinking about it,” she says. “It is really the security of the information system and that definition includes the human beings who interact with the system.”
Boards Get Moving
The board of directors needs to take charge, as many have started to. “The message of hope in an otherwise dark sea is that the reluctance of boards to engage in cyber-security in the past centered around not knowing the technology,” Coldabella says.
EXPECTATIONS OF THE FTC
The following are excerpts from the Federal Trade Commission’s “Start With Security: A Guide for Business.” The recently released guide draws upon more than 50 law enforcement actions announced by the FTC.
Apply Sound Security Practices When Developing New Products
So you have a great new app or innovative software on the drawing board. Early in the development process, think through how customers will likely use the product. If they’ll be storing or sending sensitive information, is your product up to the task of handling that data securely? Before going to market, consider the lessons from FTC cases involving product development, design, testing, and roll-out.
Make Sure Service Providers Implement Reasonable Security Measures
When it comes to security, keep a watchful eye on your service providers – for example, companies you hire to process personal information collected from customers or to develop apps. Before hiring someone, be candid about your security expectations. Take reasonable steps to select providers able to implement appropriate security measures and monitor that they’re meeting your requirements. FTC cases offer advice on what to consider when hiring and overseeing service providers.
Put It in Writing
Insist that appropriate security standards are part of your contracts. In GMR Transcription, for example, the FTC alleged that the company hired service providers to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures. As a result, the files – many containing highly confidential health-related information – were widely exposed on the internet. For starters, the business could have included contract provisions that required service providers to adopt reasonable security precautions – for example, encryption.
Security can’t be a “take our word for it” thing. Including security expectations in contracts with service providers is an important first step, but it’s also important to build oversight into the process. The Upromise case illustrates that point. There, the company hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar, which collected consumers’ browsing information to provide personalized offers, would use a filter to “remove any personally identifiable information” before transmission. But, according to the FTC, Upromise failed to verify that the service provider had implemented the information collection program in a manner consistent with Upromise’s privacy and security policies and the terms in the contract designed to protect consumer information. As a result, the toolbar collected sensitive personal information – including financial account numbers and security codes from secure web pages – and transmitted it in clear text. How could the company have reduced that risk? By asking questions and following up with the service provider during the development process.
Directors, he explains, are more likely to access strategy in a tactical, risk-focused way, asking questions about what areas of risk and liability exist, what policies and procedures are needed, whether an adequate risk assessment was conducted, and “have we gone through all of our information assets and determined where they are, what we have that bad guys might be interested in, and how quickly we would know if someone looked at it, altered it, or deleted it.”
“For a lot of reasons, good and scary, boards are focused on this because they know how to deal with these enterprise risks,” he said.
Krebs, returning to the question of what passes muster as “reasonable,” agreed that the risk assessment component is critical. “It is the start of security and something entities know how to do,” he said. “The other important thing though, on the back end, is instant response and having a plan in place so that if something happens you are able to respond to it, minimize it, and deal with it.”
Assessing what’s reasonable, as amorphous as it may seem for companies, is even more important when applied to the vendors you use. In the financial services world, for example, banks are even required to take part in business continuity testing for crucial vendors.
Coldebella is no fan of what may be a heavy-handed approach to supply chain and third party liability. “If a regulator is requiring a bank to hew to a standard, and the standard includes making sure that everybody else who touches your data also raises themselves to the same standard, then the bank becomes a regulator,” he said. “If Goldman Sachs says to all of its law firms, ‘jump this high,’ they will ask how many times they want them to jump. A mid-sized bank might not have the same market power. It is a double whammy for that entity because you are out there acting like a regulator without the power to cause the desired result, and you are left with an audit report where you have to say you used a vendor that doesn’t meet your standards.”
Coldebella described this difficult situation as indicative of “immaturity in the marketplace” and expressed hope that eventually a standardized approach will emerge for how vendors must be handled.
Ultimately, he added, now and in the future, a “reasonable” approach is a risk-based approach. “You don’t need absolutely everything on the list for every vendor,” he says. Resources and marketplace power must be factored in.
“I don’t know if I can answer the question of what’s unreasonable,” Krebs admitted. “If you do nothing, of course that is unreasonable. So don’t do nothing; do something. The third- party vendor issue is very big and very complicated.”
Krebs’ advice is the often used cliché: trust but verify. Security provisions must be written into contracts with verification tailored to the service provided. His other advice, in general as well as specifically for vendor oversight, is be able to articulate security efforts in an “elevator pitch.” If a regulator comes calling, be able to quickly, succinctly, and without an excess of technical jargon to describe how risks were prioritized, where your focus was, why something may have slipped through the cracks, and how this risk will be mitigated moving forward.
“Use common sense and make sure to the best of your ability that the vendor is really doing what they are supposed to be doing, and your approach starts to look reasonable,” he says.