FTC and Cybersecurity Oversight

Nov 25, 2016

Into the Cyber Breach Go the U.S. Government Regulators

Has cybersecurity evolved to become a true profession, with a requirement for regulatory standards? If so, who will make those decisions? Cyber security efforts clearly fulfill an undeniably critical function in contributing to protection of our ever-expanding global online world, and in this article, we argue that recent U.S. court decisions signal the global arrival of the cybersecurity profession at an important crossroads.

Data Breach

The efforts of cybersecurity professionals continue to fail to sufficiently secure the very networks they are entrusted with protecting and, as the bad guys win, they risk the ire of the public they are called upon to protect. Demands to impose legal consequences upon cyber professionals and organizations when a breach occurs are fierce and immediate.

Absent in this post-facto recrimination is public acknowledgement of two facts. First is the role that users’ preference files play in contributing to the breach in the first place. The other is the fact that no cybersecurity professional can ever offer complete assurances of information security and privacy, ever. Of course, this means that no business can offer this assurance either. And yet, these two obvious estoppels understood, into this breach the government regulators will go – to the long-term detriment of the cybersecurity profession, and certainly not in the best interests of business organizations around the world that are working hard to protect their online operations and assets.

The following high profile case is a good example. In 2012, the Federal Trade Commission (FTC), an independent agency of the United States Government, began proceedings to sue Wyndham Worldwide Corporation, seeking injunctive and other equitable relief for this organization’s “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” Reportedly, these breeches occurred on “three separate occasions in less than two years” (FTC v. Wyndham, et al, 2015).

To be legally clear, the FTC is legislatively authorized to initiate federal district court proceedings in appropriate jurisdictions, by its own attorneys, to enjoin any violations of the FTC Act (15 U.S.C. 53(b)(2)). This is a significant regulatory power, perhaps not unrivalled in other jurisdictions, but certainly less restrained than is commonly seen with regulators in other parts of the world. In effect, the FTC can pretty much choose to sue whomever and whenever it wants, so long as it has probable cause to believe that the entity it is suing has violated any U.S. relevant regulations. Of note, this could include U.S. companies with global operations (such as in the Wyndham case) or a foreign international organization with operations in the U.S. – making this regulator’s reach and actions of global concern.

Presumably there must be a threshold at which the FTC determines that it should or should not act. In this case, the action must have been brought to protect a then unknown number of victims (perceived in the filings as poor lost consumer lambs duped by the evil corporate wolf) from the obvious and continued harm they must have been facing for their apparently naïve trust in this corporation’s ability to follow even the most basic of established and known data security and privacy protocols. In truth, the filing does indicate total consumer losses of $10.6 million in fraud through the unauthorized export of hundreds of thousands of consumers’ payment card account details to a “domain registered in Russia” where, again presumably, the fraud on these consumers was perpetuated. This is not insignificant. But it is also in no way unprecedented. Nor is it unlikely, improbable or unrepeatable. In fact, we know this could happen (and has happened) to other organizations previously, and on occasion, even repeatedly, given that no organization can ever be sure it is 100% secure.

What makes this case so spectacularly obvious to pursue then? The answer is not only unclear, it is actually opaque. The lack of an intuitive or obvious legal fact base supporting the draconian actions of the FTC is what makes this a dangerous precedent worthy of further query and consideration for its warning signs to the entire cybersecurity industry: our wake-up call if you like.

There are some interesting facts in the legal filings. First, Wyndham had posted, and all users of the reservation system apparently involved in this breach had acknowledged, fairly normal privacy notices and warnings on use. These would be proto­typical for just about any organization with a large consumer base to post both as information, as warning and, frankly, as a possible way to deny liability in the instance of an information security breach – all considered pretty standard legal fare these days.

There are then further exclamations from the FTC about just how egregious this breach was, caused mainly by defendants who purportedly “failed to provide reasonable and appropriate security for the personal information collected and maintained by” the organization. They “failed to use available security measures…”; they “failed to ensure […] adequate information security policies and procedures”; they “failed to remedy known security vulnerabilities…”; they “failed to employ commonly-used methods to require user ID’s and passwords that are difficult for hackers to guess”; they “failed to employ reasonable measures to detect and prevent unauthorized access…”; and they “failed to follow proper incident response procedures”.

Truly, while this is an awful litany of obvious gaps and errors that no responsible organization could be expected to tolerate, it may not be all that uncommon, actually. Why? Because, we as a profession have not truly established strict standards that would enable the question of what is and is not “reasonable” to expect from business organizations in this regard. So, for the FTC to be litigating this case, obviously they must have established and published such guidance. Otherwise, on what basis would they rely to determine whether or not the actions undertaken by this organization, or in fact any global organization, were or were not reasonable in the circumstances? One must simply assume that an objective standard must exist in order for the FTC to be as outraged as it is at the actions of this organization so as to sue it in federal court.

Regrettably, there is not. In fact, that is the major point of this article. The sole sections of the FTC Act on which they relied to sue Wyndham was section 45(a) which prohibits “unfair or deceptive acts or practices in or affecting commerce”.

If your reaction on reading this, is that it is a broad and potentially all-encompassing and unclear statement, we share your sentiment. It is indeed a sweepingly vague and inclusive statement that could, practically speaking, include just about any practice with which the FTC disagreed with or which it simply deemed unfair in that moment. Could a regulator of international note truly rely on pure subjectivity to interpret such an important point?

To clarify, they go on to claim the organization further engaged in “misrepresentations or deceptive omissions of material fact” and acts or practices that are “likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves…” Properly clear now? In our view this mostly eliminates any organization offering any online service to any consumer for, as we established already, there is absolutely no system that is 100% secure. So, even if we warn consumers of this risk (as the defendants did); even if we take reasonable precautions (although it is not clear how we would determine if they were sufficient or not); we still cannot help the consumer avoid the risk entirely unless we simply DO NOT permit them to run the risk of accessing any online system by not offering them. That is unthinkable in the global economy today.

The circular logic of these paragraphs should be seen as frightening, especially for large, global firms. For us, it also demonstrates an incredible regulatory over-reach by the FTC to misapply legislation which never envisioned and was not intended for the modern online data-security and privacy context.

We further assert that the following statement entirely addresses the real driver for the FTC lawsuit: they state that Wyndham Hotels acted “unfairly”. In fact, in a further amended complaint following additional discovery and investigation, they state so quite clearly in Count II, paragraph 47: “In numerous instances Defendants have failed to employ reasonable and appropriate measures to protect personal information against unauthorized access.” (FTC v. Wyndham, et al., 2005)

Surely the reason for pursuing this argument as a regulator through a lawsuit must be to exactly establish what is “reasonable and appropriate” because, as a profession, we all struggle with exactly this question every single day, but have failed to answer it appropriately, it seems. Therefore, the FTC feels obliged to help us create those firm answers by establishing jurisdiction from a regulatory perspective over cybersecurity and data-security related matters.

Why would they seek this power of oversight? There is an obvious answer: scope and funding. Federal agencies exist with a mandate supported by an initial and on-going budget allocation. However, an increase in scope or mandate also comes with a further increase in budget and resources. Just as private corporations seek revenue growth – government agencies also seek resource growth. And what is growing faster than cybercrime and cyber breaches these days?

Success in becoming the agency of record for cyber regulation, a matter of high visibility that creates enhanced status within the federal government, would establish the FTC as likely the most powerful contributor to the conundrum of how to regulate professional standards in cyberspace. However, that pre-supposes that this agency is capable of aspiring to regulate cyberspace not just with the intention of growing its domain but also doing so competently; a conclusion that is less obvious from its approach to this particular case.

Yet into the breach that cybersecurity experts have left open, government seems willing to go. Is that really what cybersecurity professionals or the public they protect want to have happen? We assert not.

More than ever, the absence of coherent standards of professional practice in the world of cybersecurity and the ability to define and defend them in codifiable, substantive ways against the possible scourge of regulation means that cybersecurity experts risk their inaction as a profession becoming the rationale for regulators to act. This would not be a positive development in our view.

So, what is the solution to this looming threat of misguided and perhaps misinformed regulation? Consider, if you will, the example presented by the insurance industry. In the late 1700s, states began passing individual statutes or enacting individual charters for each insurer that wished to begin selling insurance within a state (Webel & Cobb, 2005, p. 5). Each of these individual legislative actions set forth the specific rules that applied to a particular insurer and, over time, these state-specific sets of rules became the early beginnings of state-based insurance regulation.

Of course, it wasn’t long before the insurance industry became dissatisfied with this regulatory structure. While this system provided minimal governmental intervention and allowed insurers to negotiate their regulatory framework (to some extent) as they bargained with a state legislature for a charter at their inception, it soon proved burdensome for other, obvious reasons.

A three point call-to-action plan for the cybersecurity profession
1. Get politically engaged to push back against premature or inappropriate regulation in this highly volatile and emerging field – particularly the obvious effort of the FTC to become the de-facto cybersecurity regulator.
2. Control Your professional future by creating defensible ­professional standards of practice, perhaps inside a truly regulated and registered profession, to help establish answers to questions of conduct and defense of actions rather than having these answers arise from litigation.
3. Determine, propose and implement a regime of sustainable self-regulation that comforts the political forces sufficiently to avoid a trigger response to what are clearly exceptional as opposed to routine situations today.

Under this regulatory scheme, multi-state operations were complex and insurers were subject to tax and fee structures they deemed unfair. Tax from insurance policies proved to be a prime source of revenue for the states and, of course, policies written by out-of-state insurers were subject to higher rates. Along with this, out-of-state insurers were often subject to additional or increased fees for licensing. Not at all surprising.

By the 1860s, the insurance industry was ready to escape from this multi-state regulatory burden and attempted to both convince Congress to legislate these problems away and correct them via intervention from the Supreme Court. Both approaches failed.

In the test case, Paul v. Virginia, the Supreme Court refused to identify the insurance product as inter-state commerce, and instead described it as a contract that is delivered locally (1868). Thus, much to the frustration of the insurance industry, insurance remained squarely within the regulatory control of a multitude of states.

In response to this, the insurance commissioners of the many states formed the predecessor organization to the National Association of Insurance Commissioners (“NAIC”) in 1871.

Since its inception, the NAIC has had many objectives, but its primary function has been to help build consistent regulatory and operational frameworks for the insurance industry across the 50 United States and its held territories. To this end, it has outwitted the regulators and been highly successful at accomplishing this important industry goal.

The NAIC has grown from a voluntary organization formed by the insurance commissioners of the many states to include a separate incorporated arm which employs 400 plus staff members. Both the volunteer and corporate arms of the NAIC work to distill and coordinate the varied interests of the state regulators and the industry, most notably through the promulgation of model rules which are often adopted by all states and territories in a form substantially close to their original. In essence, this informal regulator with no power to penalize noncompliant actors, has created the appearance of a single regulatory framework where none exists.

Imagine the introduction of such a force in the world of cybersecurity: and how defining that may be for our nascent profession currently.

The NAIC’s power within the industry and the regulatory landscape of the U.S. is further evidenced by the fact that even as political and industry climates have changed over time, the NAIC has remained an integral part of the conversation. In fact, both government and industry rely so heavily on the NAIC that at various times in history the U.S. Congress has seemingly ceded pseudo regulatory power to the NAIC. Is the absence of a breach keeping government satisfied?

Consider the following: nearly eight decades later, when the insurance industry had no desire to be governed by federal regulation due to what it viewed as the onerous nature of federal antitrust laws, the Supreme Court in U.S. v. South-Eastern Underwriters Association reversed its prior decision that the insurance contract cannot be considered inter-state commerce (1944).

The NAIC took immediate action to intervene with Congress and by 1945 the McCarran-Ferguson Act was passed. Not surprisingly, the conference committee’s version of the bill was nearly identical to the model bill put forth by the NAIC (Meier, 1988, p. 68-69). However, this in itself is not the best evidence in this instance of Congress ceding regulatory power to the NAIC. McCarran-Ferguson (codified at 15 U.S.C. §1011), reaffirmed the states’ rights to tax insurance policies, and granted an immediate moratorium on enforcing the application of federal antitrust laws to insurance.

The period of moratorium provided the NAIC with enough time to draft model laws regarding the rating of insurance policies which continued to permit cooperative rate making. In other words,  Congress acknowledged the ruling from the Supreme Court, but in exercising its power to legislate on the matter provided the NAIC with enough time to formulate a work-around for the industry.

Unless cyber professionals, and the organizations they work to protect, act accordingly and together, they will bring upon themselves, unwanted federal government agency regulation and scrutiny – in fact, this third circuit precedent already demands attention, for it is a creeping start towards sweeping regulatory powers in an industry too nascent to understand its long-term effects.

Acting as a profession, cybersecurity professionals can understand and substantially engage in appropriate ways to lessen the sway towards regulation and firmly close this breach by adopting a posture of professionalism and self-regulation that thwarts what is essentially a land-grab for resources at their expense.

3-point Call-to-Action Plan for the Cybersecurity Profession

  1. Get politically engaged to push back against premature or inappropriate regulation in this highly volatile and emerging field – particularly the obvious effort of the FTC to become the de-facto cybersecurity regulator.
  2. Control your professional future by creating defensible ­professional standards of practice, perhaps inside a truly regulated and registered profession, to help establish answers to questions of conduct and defense of actions rather than having these answers arise from litigation.
  3. Determine, propose and implement a regime of sustainable self-regulation that comforts the political forces sufficiently to avoid a trigger response to what are clearly exceptional as opposed to routine situations today.

By following 3-point action plan above, you can change the course – or you can wait patiently on the sidelines, let this unfold, and forever pay the price of a lackluster response to such an important development in the cybersecurity world.

Dr. James Norrie is Associate Dean and Chief Academic Officer Graham School of Business, York College Pennsylvania.

Stephanie Nesbitt is Assistant Professor and Director of Risk Management at Utica College.