It’s an unquestionable fact that our industry’s current state of cybersecurity strategy and tactics is at best inconsistent and immature. Only the top one percenters are able to budget, plan, and execute in any robust way -- and even among that group there’s pervasive and crippling inconsistency.
Perhaps the most disturbing part of this problem is that, despite several years of spotlight and scrutiny over one big breach after another, it’s not really getting measurably better...yet. But that all looks to be changing -- and fast. Over the course of 2015, there have been a few significant developments that could alter the corporate cybersecurity landscape for the better.
- In August of this year, the Third Circuit US Court of Appeals upheld a lower court verdict ruling in the case of the Federal Trade Commission (FTC) v. Wyndham Hotels giving FTC authority to police the data security standards (or lack thereof) of American companies.
- Then, in late September, Standard and Poors (S&P), the brand name in credit and debt ratings for businesses and government entities, issued guidance that it had the authority to downgrade the ratings of financial service firms lacking in cybersecurity.
- In October, the US Department of Defense (DoD) issued a mandate that requires defense contractors to disclose details of any negative cyber hit or risk penalties that could lead to loss of their contracts.
Will these measures be the catalyst that finally compels industry to get serious about cybersecurity?
To help me understand the legal underpinning of these rulings, I spoke with noted technology lawyer Michael Oliver from Oliver-Grimsley in Baltimore, Md. According to Oliver, rulings like the Wyndham decision are opening a new front in enterprise cyber defense preparation and diligence.
“Wyndham chose a full-on frontal assault on the authority of the FTC, and lost,” Oliver told me. “The case is a great example of inaction causing action. Congress has not regulated much in this area -- no omnibus privacy or data security law. So the FTC, much like it did in privacy, stepped in and started asserting its somewhat amorphous ‘unfairness’ standard against companies with horrible computer and data security practices.”
In the near future Oliver expects to see “a breakthrough [of] civil class action style case to come down.” Until then, he predicts the FTC will be “cherry picking the low hanging fruit of really, really bad data security cases, and going after those companies.”
The norm not the exception
For Wyndham, according to my own reading of the case, evidence of poor data security was visible everywhere -- a worrisome commentary about the state of cybersecurity across our industry. The truth, from my own experience and the details in FTC v. Wyndham, Wyndham's level of security was, in fact, the norm and not the exception.
The big question for business going forward is how to develop a meaningful understanding of what reasonable security measures mean; it’s no longer what everyone else is doing. Before the ruling, Oliver explained to me, the old standard was ”kinda like driving 80 mph and keeping up with traffic and then the police pull you over.” Today, he said, the fact that “other people were doing it (or were not doing proper security) is not a defense.”
In Oliver’s view, post FTC v. Wyndham, companies will need to address three areas: initial security system data design; monitoring and prompt notice and mitigation; and remote access/third party access. So, to prepare -- from a legal perspective -- Oliver recommends that companies set realistic goals; document those goals and audit performance over time.
“Of course you still should address breach, notice and mitigation, and do all of the other things generally required to maintain a commercially reasonably secure system,” he told me. “But if the firm shows a real commitment to computer data security, I think the FTC will be more lenient.”
[For more on the topic, check out UnitedLex Senior VP and Chief Privacy Officer’s FTC v. Wyndham: ‘Naughty 9’ Security Fails to Avoid.]
The bad news is that with the Wyndham case there are “no rules, no safe harbors, no conduct to advise a client -- if you do this, the FTC will not come after you." According to Oliver, that was an argument Wyndham made; that it did not have fair notice of what conduct was under the “unfairness” standard, and that FTC can only impose those standards via rule-making and not ad hoc adjudication. “Wyndham lost on that issue too,” he said. “So, while we can say what conduct we know for sure is a violation, we cannot say what conduct for sure is not a violation.”
As usual, the best defense is, well, the best defense possible -- and even more so for those of us in the business of safeguarding corporate data and individual privacy. To take cybersecurity seriously today, companies must do a lot more than just buy firewalls and SIEMS and IDS/IPS systems. In this new climate, organizations must show they know their risks and that they’re identifying and mitigating threats and documenting continuous, persistent diligence.
Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.