Every day, information security professionals have to make decisions about whether the security measures they have taken are sufficient or if they should spend more money on additional protections. We all know that there is no such thing as perfect security. So, the question always remains: what level of security is necessary to comply with the law?
The FTC has not established by official rulemaking any clear data security standards. Nevertheless, the FTC has brought more than forty data security cases against companies charging, under Section 5, that they have not taken adequate and reasonable security measures to protect consumer data resulting in the unauthorized disclosure of private information.
For the first time, two companies have pushed back against the FTC’s authority to bring such data security cases against companies that have suffered a data breach caused by a third party under its unfair and deceptive trade practices authority. The FTC has had to go to court, because these two companies have refused to settle.
In June 2012, the FTC brought an action again Wyndham Hotels following three data breaches in under three years. FTC charges that Wyndham acted deceptively in representing that it implemented reasonable and appropriate security measures to protect personally identifiable information against unrestricted access, and that Wyndham acted unfairly in failing to employ reasonable and appropriate security measures. The FTC alleges that these failures led to data breaches that resulted in fraudulent charges on consumers’ accounts and the export of payment card information to an Internet domain in Russia. But Wyndham has challenged the FTC’s authority to bring an action based on security breaches caused by a third party. Among its arguments, Wyndham says that the FTC has not published rules that give companies sufficient notice of what data security practices are required in order to be in compliance with Section 5.
In August 2013, the FTC announced it had brought an administrative action against LabMD, alleging that LabMD’s failure to take adequate and reasonable security measures resulted in the unauthorized disclosure of consumer personally identifiable information, including names, social security numbers, and medical procedure diagnostic codes. The FTC requested that LabMD provide information to the FTC to determine what caused the breach. LabMD refused to comply with the FTC requests for information, and the FTC sought a court order. The District Court agreed with LabMD that the FTC’s power under the “unfairness” provision of Section 5 is not unlimited, but nevertheless ruled that the FTC’s investigative authority was broader and so LabMD was required to provide the information to respond to the FTC’s requests.
The FTC has asked Congress in the past for additional authority to mandate data security policies and practices, but so far Congress has not passed a federal data security standard.
So, what is a company to do? If your company is governed by a law that does include more specific security standards, like the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule, then you have some guidance as to your obligations. With regard to the FTC, no clear standards exist. However, the complaints that the FTC has filed against LabMD, Wyndham, and others are somewhat helpful in revealing the kinds of conduct that the FTC considers to be “unfair,” including:
- failure to implement or maintain a comprehensive data security program to protect consumer information through the use of readily available measures, including things like firewalls and employee training;
- permitting improperly configured software to display passwords, financial information, or login information in unencrypted clear text (for example, it is alleged that Wyndham stored sensitive payment card information in clear readable text);
- failure to ensure and maintain security across user networks (for example, it is alleged that Wyndham did not employ network segmentation between hotels and its corporate network);
- failure to follow best practices for password complexity;
- failure to employ reasonable measures to detect and prevent unauthorized access;
- failure to use reasonable security to design and test privacy sensitive software;
- improper use of peer to peer networks;
- failure to follow proper procedures to prevent repeated intrusions—it is not acceptable to suffer repeated security breaches without fixing the problem;
- failure to restrict third party access to data networks.
Further, companies should review their online privacy statements and other public statements to determine what representations they have made to the public regarding the security measures that they implement. Companies often see these statements as an opportunity to win over their customers by promising stellar security protection. But this is not wise, given that the FTC is on much stronger ground in bringing an action against a company for failing to live up to its public promises.