Earlier this week, a U.S. appellate court granted the Federal Trade Commission (FTC) authority to regulate corporate cybersecurity. While this isn’t the first time the U.S. government has stepped in to mend the issues overlapping several industries, this is significant progress.
In 2008, the CSIS Cybersecurity Commission for the 44th Presidency called for immediate action based on research findings and proposed recommendations to secure cyberspace and guide policy-making. However, without regulating power or creating new laws, no enforcement was put into place.
This can largely be attributed to the fact that many view cybersecurity as a problem that can be resolved through the market with the presumption that there is adequate technology, as well as supply and demand. However, the reality is the market has failed. When this occurs in economic theory, it is necessary for the government to intervene through public policy, i.e. regulation or legislation. In this instance, the courts have ruled the FTC is the ideal authority to preside over the digital security of Americans beyond just privacy. This mentality is very much in line with the European model that makes no distinction between privacy and security – they simply cannot be separated.
Under its new powers, the FTC will continue to “prevent business practices that are anticompetitive, deceptive or unfair to consumers; enhance informed consumer choice and public understanding of the competitive process; and accomplish this without unduly burdening legitimate business activity.” But, the agency now has been given the mantle to protect online security.
What the future holds
What does this all mean? The FTC can now take action if the agency claims a corporation lacks “due diligence” in protecting the digital security of Americans. The standard of care will lean on best practices in place for that industry at the time. Gone are the days when companies can simply adopt security measures they choose to protect the privacy of their customers.
A great example of this can be found in Wyndham Worldwide Corporation’s failure to protect customers’ sensitive data from three breaches, which resulted in more than $10.6 million dollars in fraudulent charges. Clearly, Wyndam cares deeply about the physical security of its customers inside their hotels; when a guest walks into a Wyndham property they expect to feel safe. The ruling extends this to the cyber realm in that consumers can now expect the same standard of personal security when they enter Wyndham’s digital environment.
A corporate brand is fundamental to the tangible value of that organization. Reputational risk for failing to protect a brand from cyber attacks is dramatic, even more so with the new FTC polices which can instate additional financial punitive measures. Now more than ever, not factoring reputational risk of brand protection through adequate investment in cybersecurity is a deeply flawed business practice.
In a similar case, Anthem, the largest healthcare provider in the U.S., is being prosecuted by the FTC based on the exact same rationale from a headline-grabbing breach last year. Whether this is justified will be left up to the experts. However, the resolution of this case will be significant because the provider appears to have been compliant with HIPAA. Therefore, the question is if the current healthcare security standards are sufficient in light of these cyber attacks.
Currently, many people are under the mistaken impression that compliance equals security. This is simply not the case. Best practices change and evolve based on the cyber-threat landscape, which is constantly evolving. In fact, today, the majority of compliance standards do not take into account the risks posed by mobility or cloud.
It’s clear that an overarching policy, with teeth, is essential for the establishment of strong cybersecurity standards that business of all sizes across industries must achieve. We applaud the move to position the FTC as this governing body. Trend Micro already works closely with law enforcement and government agencies to share valuable information and ideas to thwart the growing avalanche of cybercrime we all face. We look forward to working with the FTC, and others, as well.Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ... View Full Bio