Cybersecurity in the U.S.: Living with Regulatory Uncertainty
Unlike many countries, the United States does not have a single overarching legal regime governing cybersecurity. Instead, there are a multitude of federal statutes and regulations governing cybersecurity – as well as legislation and regulatory oversight by state authorities.1As a result, enforcement actions for data security failures can originate from many sources. However, among these various federal cybersecurity regulators – including the Federal Communications Commission ("FCC"), the Securities and Exchange Commission ("SEC"), the Financial Industry Regulatory Authority ("FINRA"), and others – the Federal Trade Commission ("FTC") has emerged as the primary federal regulator. As further discussed below, the results of FTC enforcement actions are proving to be the baseline for identifying and implementing sound cybersecurity measures. Accordingly, all companies conducting business in the U.S. should be mindful of the conduct at issue in FTC enforcement actions and confirm that their information security programs are compliant with the FTC's evolving standard of what constitutes a reasonable data security program.
Basis and Jurisdiction of the FTC's Enforcement Authority
Since 2002, the FTC has brought and settled more than 50 data security enforcement actions against companies and individuals in a wide range of industries, including retailers, financial institutions, health-care related organizations, insurance companies, hospitality companies, and software and data security vendors. The statutory basis for the majority of these FTC cybersecurity enforcement actions is Section 5 of the Federal Trade Commission Act of 1914 (the "FTC Act"), which provides that "unfair or deceptive acts or practices in or affecting commerce . . . are . . . declared unlawful."2 The FTC's jurisdiction under Section 5 also extends to acts or practices involving foreign commerce that cause or are likely to cause reasonably foreseeable injury within the United States or involve material conduct occurring within the United States.3
The FTC's cybersecurity-related actions under Section 5 generally fall into two categories: those based on an alleged failure to implement reasonable cybersecurity safeguards (under the "fairness prong" of Section 5), and those based on allegedly false assertions of adequate cybersecurity measures (under the "deception prong" of Section 5). Historically, the majority of the FTC's cybersecurity cases have relied upon alleged violations of the deception prong, that is, false claims of secure websites and the like. However, the FTC has increasingly employed the fairness prong of Section 5 in cybersecurity cases, which imposes liability even in the absence of any allegedly false representations concerning a company's data security. This application of the fairness prong essentially gives the FTC great discretion to create cybersecurity standards through enforcement actions. In turn, two U.S. companies – Wyndham Worldwide Corporation and LabMD, Inc. – have recently challenged the scope of the FTC's authority under Section 5 arguing that, among other things, Section 5's prohibition on "unfair" trade practices does not give the FTC authority to prescribe data-security standards for private businesses.
Wyndham Worldwide Corporation's Challenge to FTC Authority
In 2012, the FTC brought an enforcement action against Wyndham Worldwide Corporation and several of its hotel subsidiaries (collectively, "Wyndham").4 The FTC's case against Wyndham stemmed from three Wyndham data breaches during 2008 and 2009, which exposed more than 600,000 consumer payment card account numbers and led to more than $10.6 million in fraud loss. The most notable problems alleged by the FTC included the failure to: (1) use firewalls between networks; (2) encrypt stored payment card information; (3) fix known security issues; (4) use industry standard password complexity; and (5) employ reasonable procedures to detect and prevent breaches.
Following the district court's denial of Wyndham's motion to dismiss, the company appealed to the United States Court of Appeals for the Third Circuit ("Third Circuit"), raising two issues: (1) whether the FTC has authority to regulate cybersecurity under the FTC Act, and (2) whether Wyndham received fair notice of the FTC Act's cybersecurity standard.6 In August of 2015 – in a highly anticipated opinion – the Third Circuit affirmed the district court's ruling, thereby allowing the FTC's data breach action against Wyndham to proceed.7 In the Wyndham opinion, the Third Circuit rebuffed Wyndham's argument that the FTC does not have enforcement authority over cybersecurity under the unfairness prohibition of the FTC Act. The Third Circuit further ruled that Wyndham did have adequate notice of what cybersecurity practices could violate that provision and noted that Wyndham was "not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform." Instead, the Third Circuit held that Wyndham was only due "fair notice" that its conduct could violate Section 5, and emphasized that Wyndham had adequate notice as it had been hacked "not one or two, but three, times." The Third Circuit also found that the FTC's 2007 guidebook – which counseled against many of the specific practices instituted by Wyndham – as well as prior FTC cybersecurity settlements bolstered its conclusion that Wyndham was on notice that its practices could violate Section 5 of the FTC Act.8
LabMD's Challenge to FTC Authority
Despite the FTC's success against Wyndham and other corporate defendants in bringing claims of cyber-related unfair trade practices, the FTC's enforcement authority is not without limits. In fact, on November 13, 2015, the FTC suffered a setback in its administrative courts as an administrative law judge ("ALJ") issued an Initial Decision dismissing the FTC's complaint against LabMD, a medical diagnostics company that has been engaged in protracted litigation with the FTC over alleged data breaches.9
The case against LabMD began in August 2013 when the FTC filed a complaint in its administrative court alleging that LabMD violated Section 5 in failing to protect consumer health data in two separate incidents. Specifically, the FTC alleged that LabMD's unreasonable policies and procedures resulted in the leak of personal information of approximately 10,000 consumers to the peer-to-peer file-sharing network LimeWire and, eventually, to identity thieves. LabMD moved to dismiss the complaint, arguing that its data security practices were already regulated by the U.S. Department of Health and Human Services ("HHS") and, therefore, that FTC lacked authority to regulate LabMD in this area. LabMD also responded by filing a complaint of its own in the U.S. District Court for the District of Columbia, which similarly claimed that the FTC lacked jurisdiction because the HHS is tasked with regulating consumer data security in the healthcare industry. A panel of four FTC commissioners denied LabMD's motion, finding the FTC's authority to regulate data security practices consistent with the FTC Act and its legislative history, other statutes, and prior cases. Similarly, the district court rejected LabMD's challenge to the FTC's administrative authority as premature, which has since been upheld by the Eleventh Circuit Court of Appeals.
However, when LabMD's case returned to the FTC's administrative court for an examination of the merits of the FTC's complaint, the ALJ dismissed the case holding that the FTC had failed to meet its burden of proving that LabMD had engaged in unfair trade practices. As the ALJ's opinion notes, in order to prove that an act or practice constitutes an unfair trade practice within the meaning of Section 5, the FTC must demonstrate that: (1) the act or practice causes or is likely to cause substantial injury to consumers; (2) substantial injury was not reasonably avoidable by consumers themselves; and (3) the substantial injury was not outweighed by countervailing benefits to consumers or to competition.10 In LabMD, the ALJ held that the FTC had failed to satisfy the first step in this three-part test – that LabMD's alleged failure to reasonably protect data on its networks caused, or was likely to cause, substantial injury to customers. According to the ALJ, the FTC had, "[a]t best . . . proven the ‘possibility' of harm, but not any ‘probability' or likelihood of harm." The ALJ further held that "[t]o impose liability for unfair conduct under Section 5(a) of the FTC Act, where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk' of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely' substantial consumer injury."
The LabMD decision is not final; the FTC has the ability to appeal this decision to the full FTC Commissioners and is likely to do so in an effort to preserve a more expansive definition of what constitutes "likely substantial consumer injury." Although the LabMD decision is useful to would-be defendants because it potentially limits the cases the FTC may bring in the absence of consumer injury, it does not serve to limit the FTC's jurisdiction over cyber intrusions in general or its ability to prescribe data-security standards for the private sector as recognized in the Wyndham case.
The FTC's Enforcement History as a Baseline for Reasonable Cybersecurity Measures
The FTC's recent enforcement cases and, in particular, the Wyndham case, are important for companies attempting to navigate the U.S. cybersecurity landscape for several reasons. First, as noted above, Wyndham affirms the FTC as the de facto watchdog over cybersecurity failures of companies that conduct business in the U.S. Second, the Wyndham decision confirms that the FTC can bring enforcement actions based upon "unreasonable" cybersecurity practices despite the absence of statutory guidance or regulations on what reasonable cybersecurity practices actually look like. As a result, companies doing business in the U.S. must be vigilant in following FTC enforcement action developments and FTC guidance. Third, many state analogues to the FTC Act (referred to as "Little FTC Acts") mirror Section 5 of the FTC Act and are either "guided by" or give "great weight" to the FTC's interpretations of its own substantive Section 5 authority. Accordingly, FTC enforcement actions may embolden both state attorney generals and private litigants alike to utilize these Little FTC Acts to challenge practices comparable to those found suspect in FTC complaints. It is also important to note that unlike the FTC Act, which does not contain a private right of action, almost every Little FTC Act does authorize private suits, including class actions, attorney fees and, in some cases, even punitive damages.
For all of these reasons, companies seeking to comply with U.S. cybersecurity regulations must stay current with FTC developments. However, as FTC enforcement actions generally focus on after-the-fact critiques of particular policies and practices and do not really provide a comprehensive or programmatic guide to a ‘living and breathing' cybersecurity program, other resources and guidance should be used as the foundation for a successful data security program.
NIST Cybersecurity Framework as a Foundation
Without question, prevention of a data security breach is a primary objective in drafting cybersecurity policies and procedures and implementing reasonable cybersecurity practices. However, even companies with sound cybersecurity practices can be breached. Accordingly, a second but equally important objective should be adopting policies and procedures that minimize regulatory risk by ensuring that a company's overall cybersecurity program is objectively reasonable.
A reasonable cybersecurity program generally starts with compliance with an established cybersecurity standard. However, notwithstanding the work of the FTC on unfair and deceptive practices involving data security, there are no baseline statutory or regulatory standards in the U.S. for minimum data security measures for most private sector businesses (the health care and financial services sectors excepted). In the absence of legislative prescriptions, the federal government, however, has launched a broad effort to establish a ‘framework' (if not an actual standard) for cybersecurity in its Framework for Improving Critical Infrastructure Cybersecurity (the "Framework"), released in February 2014 by the National Institute of Standards and Technology ("NIST"), a component of the U.S. Department of Commerce.11 The Framework is specifically designed to "enable organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure."
The Framework is comprised of five "core" functional categories:
- Identify- Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities;
- Protect- Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
- Detect- Develop and implement the appropriate activities to identify the occurence of a cybersecurity event;
- Respond-Develop and implement the appropriate activities to take action regarding a detected cybersecurity event; and
- Recover -Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
In addition to taking into account the FTC's enforcement history, companies should consider using these five core functions as the foundation for their cybersecurity programs, and examine whether the corresponding subcategories and suggested cybersecurity practices for these core functions that are provided in the Framework are appropriate for their own cyber risk profiles.
It is important to note, however, that the Framework does not create a cybersecurity safe harbor. Instead, it combines best practices from a multitude of industry sources. Although the NIST Framework does not articulate an enforcement standard, it can serve as a roadmap for regulators – including the FTC – in assessing the reasonableness of a cybersecurity program. In fact, regulators are using the NIST Framework to provide written guidance and examination document requests.13 As a result, the NIST Framework is an essential first step in the direction of meeting the reasonableness standard of regulators and should be part of any effort directed at compliance with the FTC's evolving guidelines for unfair and deceptive cybersecurity practices.
Avoiding Pitfalls Highlighted in FTC Enforcement Actions
The FTC appears to have listened to some of the criticisms of the difficulty for businesses in knowing just where the FTC stands on specific cybersecurity practices. In July 2015, the FTC published data security guidance titled Start With Security: A Guide for Business.13 This resource distills from the FTC's 50-plus enforcement actions 10 essential lessons learned. According to the FTC, "addressing the expectations revealed in the guidance may not eliminate all data security risk, but the guidance is a useful resource for assessing data security programs."
Another important tool for minimizing the risk of an FTC or other regulatory enforcement action is to avoid practices the FTC has previously identified as unreasonable or otherwise deficient. For example, in Wyndham, the FTC identified the following practices as insufficient based on Wyndham's failure to:
- use firewalls between networks;
- encrypt stored credit card information;
- use industry standard password complexity;
- employ reasonable measures to detect and prevent unauthorized access;
- implement security updates on a timely basis;
- follow incident response procedures;
- adequately restrict vendor access; and
- fix existing security issues.
Other cybersecurity deficiencies noted in FTC enforcement actions include the failure to:
- perform risk assessments;
- conduct regular testing and monitoring of privacy controls;
- conduct regular reviews of privacy statements/notices for correlation to actual practices and disclosures;
- obtain user consent with respect to new data or products;
- require strong user credentials and password policies and procedures;
- segment servers and limit employee access to PII;
- implement reasonable data storage policies and procedures;
- encrypt data in transit and at rest;
- adopt policies and procedures for data retention, destruction and disposal;
- implement controls and security reviews for new software and products;
- require and implement contractual requirements for service providers;
- reasonably oversee service providers;
- perform cybersecurity audits;
- assess network vulnerabilities;
- evaluate the risk of third party access;
- implement reasonable measures to assess and enforce compliance with policies and procedures; and
- implement policies and procedures for the prevention and detection of unauthorized access.
Perhaps not surprisingly, all of the points above drawn from specific FTC enforcement actions can be found in the NIST Framework.14
Industry-Specific Rules and Guidance
Although the FTC has clearly assumed the role as the primary cybersecurity regulator, other federal agencies have jurisdiction to impose rules, regulations and issue guidance on an industry-by-industry or sector-by-sector basis. There are different regulators for many field of business, such as investment management, banking, communications and the like. Below is a more in-depth examination of the most significant rules, regulations and recent guidance in just a few of those fields.
Financial Services Industry Regulations
The primary cybersecurity legislation for investment advisers, broker-dealers, and investment companies ("SEC-regulated firms") is Regulation S-P. More specifically, Rule 30 of Regulation S-P requires SEC-regulated firms to establish written policies and procedures designed to "(a) Insure the security and confidentiality of customer records and information; (b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."15
Other relevant SEC rules include Regulation S-ID, which requires, among other things, that certain SEC-regulated firms that provide services to consumers implement policies and procedures designed to: (1) identify relevant types of red flags; (2) detect the occurrence of red flags; (3) respond appropriately to red flags; and (4) periodically update the identity theft program.16
Additionally, Rule 206(4)-7 under the Investment Advisers Act of 1940, as amended (the "Advisers Act") requires registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act and its rules, including Regulation S-P and Regulation S-ID.17
FINRA Rules 3110, 3120, and 3130 also require FINRA-member broker-dealers to maintain and enforce a supervisory system and written procedures reasonably designed to ensure compliance with applicable securities laws and rules, including Regulation S-P and Regulation S-ID, and maintain and enforce a supervisory control system to test and verify that its supervisory procedures are reasonably designed to achieve compliance with applicable securities laws and rules.
Recent SEC Guidance
In April 2014, the SEC's Office of Compliance Inspections and Examinations ("OCIE") launched a cybersecurity examination sweep, which examined 49 investment advisers and 57 broker-dealers picked to represent a wide cross-section of the U.S. financial services industry. On February 3, 2015, OCIE released the result of the sweep in a Risk Alert titled Cybersecurity Examination Sweep Summary, which provides a detailed overview of how investment advisers and broker-dealers are addressing the legal, regulatory and compliance issues associated with the increasing risk from cyber-attacks.18 On February 3, 2015, in conjunction with OCIE's February 2015 risk alert, FINRA released a detailed report on cybersecurity, detailing the practices that firms can take to strengthen cybersecurity efforts.19
On April 28, 2015, the SEC's Division of Investment Management released additional cybersecurity guidance for registered investment companies and registered investment advisers. This guidance identifies issues for advisers and funds to consider when addressing cybersecurity risk.20
On September 15, 2015, OCIE issued a second Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative. The Risk Alert also included information on areas of focus for OCIE's cybersecurity examinations.21
Telecommunications Industry Regulations
Other U.S. regulators have entered the fray, including the FCC. Under the Communications Act of 1934, as amended (the "Communications Act"), the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable in the U.S. There is little question that the FCC has authority under the Communications Act, as well as the Telecommunications Act of 1996 (the "Telecommunications Act"), to regulate how telecommunications companies use their customer's personal information. However, its authority to regulate data security with respect to customer personal information is less clear as neither the Communications Act nor the Telecommunications Act grants the FCC with explicit authority over data security.
Nonetheless, through its enforcement actions, the FCC generally points to Sections 201(b) and 222(a) of the Communications Act for it authority over data security.22 In fact, in April 2015, the FCC entered into a $25 million settlement with AT&T over alleged data breaches at call centers in Mexico, Columbia, and the Philippines that resulted in the loss of customer identifying information in violation of Sections 201(b) and 222(a). More recently, in July 2015, the FCC entered into a $3.5 million settlement with two companies for alleged failure to protect the privacy of telephone customers' personal information based on alleged violations of Section 201(b) and 222(a). Specifically, the FCC's Enforcement Bureau alleged that two wireless carriers – TerraCom Inc. and YourTel America Inc. – failed to adequately protect stored Social Security numbers, names, addresses, and other personally identifiable of as many as 300,000 consumers. Accordingly, telecommunications companies doing business in the U.S. should, at a minimum, be familiar with these sections of the Communications Act and the FCC enforcement actions that are being brought under these statutes.
Recent FCC Guidance
On March 18, 2015, an FCC and industry working group, the Cybersecurity Risk Management and Best Practices Working Group 4 ("WG4"), of the Communications, Security, Reliability, and Interoperability Council ("CSRIC") issued a report on best practices for cybersecurity risk management across the five main industry segments – broadcasting, satellite, cable, wireless and wireline.23 Not surprisingly, one of the primary recommendations in the report is for companies to implement the NIST Framework into cybersecurity programs.
On May 20, 2015, the FCC issued an Enforcement Advisory warning that the FCC enforcement bureau will focus on "whether broadband providers are taking reasonable, good-faith steps to comply with Section 222."24 The Enforcement Advisory stated that providers should "employ effective privacy protections in line with their privacy policies and core tenets of basic privacy protections."
The Internet can be a chaotic environment, and so it might not be surprising that it has generated a chaotic regulatory regime, one characterized by a lack of organization and uniformity. Doing business in the U.S. requires compliance with a wide range of statutory and regulatory rules, with oversight by an equally wide range of federal regulators. So while comprehensive federal standards have yet to be established, adherence to "reasonable" cybersecurity practices across all industries is the current standard that companies must strive for. It therefore behooves companies to focus on all aspects of FTC and other federal enforcement actions to stay up-to-date on what reasonable and unreasonable cybersecurity practices look like in the eyes of regulators. Simply put, eternal vigilance is the price of doing business in the current regulatory environment.
1A survey of all of the U.S. state and territory privacy and data breach laws is beyond the scope of this Article. However, it should be noted that 47 states, as well as the District of Columbia, Puerto Rico, the Virgin Islands, and Guam have adopted some form of privacy or privacy-related laws. While these state and U.S. territory laws vary by jurisdiction, all of these laws generally set standards and requirements for notifying consumers of data breaches. Accordingly, at a minimum, companies should review all applicable U.S. state and territory laws in the event of a data breach.
315 U.S.C. § 45(a)(4)(a).
5 F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014).
8 On December 9, 2015, the FTC announced that Wyndham had agreed to settle the FTC's charges. Under the terms of the settlement, Wyndham is required, for a 20-year period, to develop a comprehensive data security program designed to reasonably protect cardholder data, conduct annual data security audits, and ensure that its franchisees' are in compliance with these data security requirements. https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment
9 In re LabMD, FTC Docket No. 9357 (Nov. 13, 2015) available at: https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
10 15 U.S.C. § 45(n).
15 17 C.F.R. § 248.30(a).
16 See Identity Theft Red Flags Rules, 78 FR 23628 (Apr. 19, 2013) (the "Adopting Release") available at: https://www.sec.gov/rules/final/2013/34-69359.pdf.
17 17 C.F.R. 275.206(4)-7.
22 Section 201(b) of the Communications Act provides, in relevant part, [a]ll charges, practices, classifications, and regulations for and in connection with [interstate or foreign] communication service [by wire or radio], shall be just and reasonable, and any such charge, practice, classification, or regulation that is unjust or unreasonable is declared to be unlawful." See 47 U.S.C. § 201(b). Section 222(a) of the Communications Act imposes a duty on telecommunication carriers to protect the confidentiality of "proprietary information" of consumers. See 47 U.S.C. § 222(a).