Written byDan Verton
The answer to who is in charge of the federal effort to bolster the nation’s cybersecurity posture may not be as difficult to uncover as previously thought. As the Department of Homeland Security awaits public comments on its voluntary framework initiative—due Oct. 10—the Federal Trade Commission has been making an aggressive push to expand its authorities and force companies that have lax security programs to bolster their defenses.
To be fair, the DHS-backed program, known as the Framework for Improving Critical Infrastructure Cybersecurity and developed by the National Institute of Standards and Technology with extensive input from the private sector, is only seven months old. But despite more than a year of development work and meetings around the country, nobody is really sure yet how many private sector firms have adopted the voluntary standards or what impact the standards have had on the nation’s cybersecurity posture. What is clear, however, is the number of massive data breaches is rising and so are the number of punitive enforcement actions by the FTC targeting companies that have failed to take appropriate measures to protect consumer information.
This year, the FTC pursued its 50th data security enforcement case against an audio transcription company that it alleges did not properly protect the personally identifiable information contained in 15,000 user files exposed on the Internet. In addition, the agency recently announced it will investigate last year’s Target data breach, and some lawmakers are now calling on the FTC to investigate this month’s reported hacking incident at Home Depot that may have compromised the personal financial information of tens of millions of consumers.
The FTC is gaining ground in the national cybersecurity debate due to an aggressive attempt to expand its authorities under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts or practices. The agency’s push for greater authority to regulate cybersecurity practices in the private sector won a major victory recently when a federal judge denied a motion to dismiss the FTC’s case against Wyndham Worldwide Corp. for failing to protect consumer information. According to a Sept. 11 report by the Congressional Research Service, the judge’s ruling effectively lends support to the FTC’s position that it possesses jurisdiction to regulate data security under its unfair or deceptive practices authority. And as new massive data breaches make the news, experts warn of additional FTC enforcement actions on the horizon.
“The FTC has already signaled that it sees a broad role for itself in data and cybersecurity,” said Megan Brown, a partner with Wiley Rein LLP in Washington, D.C. “The agency has been aggressively investigating and bringing cases, using an expansive approach to its legal authority. High-profile incidents like [the Home Depot and Target breaches] provide the agency with more rhetorical ammunition as it stakes out its territory.”
According to recent testimony by FTC Chairwoman Edith Ramirez, the FTC has leveraged its deceptive practices authority to settle more than 30 cases challenging companies’ express and implied claims about the security they provide for consumers’ personal data. The agency has also settled more than 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.
“The agency seems content to let enforcement actions set general expectations for private industry,” Brown said. “While this case-by-case approach tends to foster uncertainty about the adequacy of compliance measures, the private sector should expect more investigations and information requests, particularly in the aftermath of a high-profile incident.”
Todd C. Taylor, an attorney at Charlotte, North Carolina-based Moore & Van Allen PLLC, agreed that more high-profile data breaches would likely lead to more activity by the FTC, but the biggest indicator of potential FTC actions is the recent decision in the Wyndham case. “The Wyndham ruling will likely embolden the FTC to more aggressively go after retailers that have experienced data breaches,” Taylor said. “Whether they will do so in the case of Home Depot, Target or others remains to be seen.”
Some fear any increase in FTC activity that tries to enforce cybersecurity standards could be damaging, not only to industry but to the overall government-led effort to coordinate cybersecurity information sharing.
Vijay Basani, CEO of Acton, Massachusetts-based EiQ Networks Inc., said the FTC is not qualified to set and enforce security standards and the agency should not attempt to do so. “FTC’s mission is to ensure the rights of consumers, fair trade, accurate information in the market place and the elimination and prevention of anticompetitive business practices,” Basani said. “Cybersecurity is not one of FTC’s missions and as such FTC does not have expertise and knowledge to enforce and set cybersecurity standards. It is best left in the current voluntary effort managed by DHS, which deals with cybersecurity on a daily basis.”
“There is clearly a role for consumer protection agencies and legislators to play in turning up the heat on companies who have been seen as not having done enough to secure personally identifiable and highly valuable data,” said Steve Durbin, managing director of the Information Security Forum. “So, it is interesting to see the FTC now weighing in on this. While I am not sure that they should have a role to play in setting standards, there is certainly a space that they can occupy in enforcing data security that is consistent with their overall mission. The fact that the FTC is an independent agency is an added bonus, and should be recognized.”
There are currently eight bills pending in Congress that would impact FTC’s role in cybersecurity, including several that propose granting FTC the authority to promulgate information security standards, impose civil penalties on companies that fail to meet certain standards and authority to issue administrative rules.