By HP Security Strategist Stan Wisseman
It just got much riskier for firms that fail to protect customer data as they claim to be doing.
Last week, a U.S. appellate court ruled that the Federal Trade Commission (FTC) has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600K of customer data records from its systems. The court rejected Wyndham Hotels’ argument that it lacked notice of what the FTC regarded as insufficient cybersecurity.
This ruling cements the FTC’s power to regulate and fine firms that lose consumer data due to data breaches if the companies engage in what the FTC deems as “unfair” or “deceptive” business practices. This provides another serious legal incentive for organizations to invest in protecting their customer’s data.
Following the court ruling, FTC Chair Edith Ramirez said in a statement that the “decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data.” She also noted that it is “critical” that the FTC “has the ability to take action … when companies fail to take reasonable steps to secure sensitive consumer information.”
The decision underscores the importance of keeping up with FTC guidance on cybersecurity practices and their view of what is “reasonable.” In their ruling, the court pointed to the FTC’s publicly available complaints in past enforcement cases, as well as other Commission materials. This includes:
- Protecting Personal Information: A Guide for Business – First published in 2007 and updated in 2011, this document offers recommendations under five principles: take stock, scale down, lock it, pitch it, and plan ahead. They also have an online tutorial based on the guide.
- Start with Security: A Guide for Business – 10 practical lessons businesses can learn from the FTC’s 50+ data security settlements. For example, the FTC recommends testing software for common vulnerabilities like those highlighted by the OWASP Top 10.
- FTC guidance on particular data security challenges – News releases, blog posts, and other documents to help avoid pitfalls.
Some are frustrated by FTC vagueness with regards to cybersecurity best practices. To be sure, their guidance is very high level and it’s difficult for any firm to achieve all recommended best practices. The FTC could potentially bring an action against a company in any significant breach incident.
However, while their cybersecurity enforcement authority has been affirmed by the court, the FTC is being judicious in exercising it. For example, despite an insider data breach at Morgan Stanley that resulted in exposure of customer information, the FTC closed their investigation without penalties against the firm. The FTC spared Morgan Stanley due to the company’s implementation of “comprehensive policies” to protect against employee theft of customer personal information; its adoption of technical measures to limit access to sensitive information and to monitor data transfers by employees; and its vigorous response to the breach.
Nevertheless, last week’s court ruling is significant news. If you don’t take provisions to safeguard the data of your customers and as a result get breached, you now have the possibility of the FTC coming down on you in addition to other consequences. Here are four recommendations:
- Review current FTC cybersecurity guidance and keep up with their updates as they are posted.
- As I recommended in a previous CIO Forum post, leverage one of the cybersecurity frameworks available to demonstrate a comprehensive program to the FTC.
- Review your data and privacy policies and standards against FTC expectations.
- Conduct an independent evaluation of your security controls to gain assurance that your customer data protection procedures and safeguards function as expected.
While this affirmation of FTC’s authority may be a good thing, I see it as a double edged sword. FTC guidance does help improved overall security of the industry. However, aspiring to meeting this guidance, and avoiding fines, won’t necessarily thwart threat actors, especially those that launch targeted attacks. CISOs should leverage the FTC guidance but frame it to executive leadership as “we must be at least this good”. If we aspire only to this “reasonable” bar of security, facing today’s evolving adversaries… we’re going to lose.
HP has a full range of data security solution. HP Security Strategist Cindy Cullen’s CIO Forum post on data security also has some good recommendations on how to protect data throughout its lifecycle.
Source : http://www.
from critical infrastructure alliance http://ift.tt/1NhnqeL
via IFTTT
No comments:
Post a Comment