The Third Circuit Court of Appeals announced on Monday, August 24, 2015 that the Federal Trade Commission is acting within its authority when it takes action against companies for poor data security practices. Take heed. You may be doing exactly what the FTC is complaining about.
The Third Circuit Court of Appeals was hearing a case brought by Wyndham Hotels, complaining that the FTC had no jurisdiction to sue Wyndham after they suffered three breaches of personal and financial information. The FTC does not tell us what computer security standards we must meet, they complained, and Wyndham was the victim of hackers and poor security practices at their franchisees. These three breaches, they insisted, were not their fault.
But since 2003, the FTC has been taking action against companies who claim to have sufficient security controls, but do not. Companies often overstate the security of their systems in order to attract business, making this an “unfair or deceptive practice.” False assurances are squarely in the realm of the FTC’s authority, and they have every reason to pursue companies whose false claims precede a breach (or, lately, if they have other evidence of false claims and decide to pursue those even without a breach).
Is it an exaggeration to say that the FTC is coming to get you? No. Not really. While their high profile cases follow breaches, and you may not know of a breach from your systems or vendors yet, they also pursue some other obvious false claims. Since early 2014 the FTC has been publically announcing companies that claimed EU Safe Harbor compliance in order to obtain international contracts, but had not actually met those requirements.
So how do you avoid the gaze of the FTC? It’s simple.
If you claim to anyone that your security controls over their information are somehow reasonable or good enough, or sufficient, or … reliable, then:
- Assess the risks involved in the systems, processes and facilities where sensitive information goes.
- Determine whether those risks are reasonable (be sure in your risk analysis to balance your mission and objectives against your obligations).
- Operate a plan to implement controls that reduce those risks to demonstrably reasonable levels (again, refer to the balance standard mentioned above).
- Observe controls over time to detect their success or failure, and fix or improve the weak controls.
- Appoint an executive the responsibility to operate and improve the data security program.
- Be sure that any third parties who can affect the security of your information systems or data are doing the same.
If you want verification that this is the way to avoid the FTC’s punishment read every one of the orders and decrees they have made on the topic for the past 12 years. Warning: it may get boring, because they keep saying what you just read over, and over, and over again. They have been consistent on the point since 2003. And guess what? This risk management approach is the same thing you are supposed to do for GLBA compliance, HIPAA Security Rule compliance, CMR 17.00 compliance, etc. One effort takes care of all requirements.
Do you know “reasonable” for your organization?
If this sounds difficult to do, work with someone who has done this for organizations over and over and over again so you get it right with the least pain. (Hint: HALOCK has done this for organizations over and over and over again).
Alternatively, you could just tell your clients that you can’t assure them that their data is secure while under your watch. The FTC doesn’t go after companies that tell the truth.
The choice is yours.
Author: Chris Cronin, ISO 27001 Auditor