What Level of Security is Necessary to Comply with the Law?

By Jennifer Daniels

Every day, information security professionals have to make decisions about whether the security measures they have taken are sufficient or if they should spend more money on additional protections.  We all know that there is no such thing as perfect security.  So, the question always remains: what level of security is necessary to comply with the law?

The Federal Trade Commission (“FTC”) uses the FTC Act to police U.S. business data security standards.  Section 5 of the FTC Act prohibits “unfair or deceptive trade practices in or affecting commerce.”  “Deceptive” trade practices are essentially those that run counter to a representation made by the company to consumers.  So, if a company publishes an online privacy statement in which it states that it will secure the data of users of the site, and then it suffers a data breach, it is at risk of an FTC action claiming that it failed to live up to its promise stated in its privacy policy.  “Unfair” practices are those that are likely to cause substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers.

The FTC has not established by official rulemaking any clear data security standards.  Nevertheless, the FTC has brought more than forty data security cases against companies charging, under Section 5, that they have not taken adequate and reasonable security measures to protect consumer data resulting in the unauthorized disclosure of private information.

For the first time, two companies have pushed back against the FTC’s authority to bring such data security cases against companies that have suffered a data breach caused by a third party under its unfair and deceptive trade practices authority.  The FTC has had to go to court, because these two companies have refused to settle.

In June 2012, the FTC brought an action again Wyndham Hotels following three data breaches in under three years.  FTC charges that Wyndham acted deceptively in representing that it implemented reasonable and appropriate security measures to protect personally identifiable information against unrestricted access, and that Wyndham acted unfairly in failing to employ reasonable and appropriate security measures. The FTC alleges that these failures led to data breaches that resulted in fraudulent charges on consumers’ accounts and the export of payment card information to an Internet domain in Russia.  But Wyndham has challenged the FTC’s authority to bring an action based on security breaches caused by a third party.  Among its arguments, Wyndham says that the FTC has not published rules that give companies sufficient notice of what data security practices are required in order to be in compliance with Section 5.

In August 2013, the FTC announced it had brought an administrative action against LabMD, alleging that LabMD’s failure to take adequate and reasonable security measures resulted in the unauthorized disclosure of consumer personally identifiable information, including names, social security numbers, and medical procedure diagnostic codes.  The FTC requested that LabMD provide information to the FTC to determine what caused the breach.  LabMD refused to comply with the FTC requests for information, and the FTC sought a court order.  The District Court agreed with LabMD that the FTC’s power under the “unfairness” provision of Section 5 is not unlimited, but nevertheless ruled that the FTC’s investigative authority was broader and so LabMD was required to provide the information to respond to the FTC’s requests.

The FTC has asked Congress in the past for additional authority to mandate data security policies and practices, but so far Congress has not passed a federal data security standard.

So, what is a company to do?  If your company is governed by a law that does include more specific security standards, like the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule, then you have some guidance as to your obligations.  With regard to the FTC, no clear standards exist.  However, the complaints that the FTC has filed against LabMD, Wyndham, and others are somewhat helpful in revealing the kinds of conduct that the FTC considers to be “unfair,” including:

  • failure to implement or maintain a comprehensive data security program to protect consumer information through the use of readily available measures, including things like firewalls and employee training;
  • permitting improperly configured software to display passwords, financial information, or login information in unencrypted clear text (for example, it is alleged that Wyndham stored sensitive payment card information in clear readable text);
  • failure to ensure and maintain security across user networks (for example, it is alleged that Wyndham did not employ network segmentation between hotels and its corporate network);
  • failure to follow best practices for password complexity;
  • failure to employ reasonable measures to detect and prevent unauthorized access;
  • failure to use reasonable security to design and test privacy sensitive software;
  • improper use of peer to peer networks;
  • failure to follow proper procedures to prevent repeated intrusions—it is not acceptable to suffer repeated security breaches without fixing the problem;
  • failure to restrict third party access to data networks.

Further, companies should review their online privacy statements and other public statements to determine what representations they have made to the public regarding the security measures that they implement.  Companies often see these statements as an opportunity to win over their customers by promising stellar security protection.  But this is not wise, given that the FTC is on much stronger ground in bringing an action against a company for failing to live up to its public promises.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s