FTC’s actions put CSOs on high alert

Four takeaways from the FTC’s power to sue for lax security.

If someone had asked Jay Leek two years ago if advanced threat detection should be part of every institution’s core security stack, he would’ve replied that it’s “nice to have, but it only becomes core in more mature programs.” But today, the chief information security officer at The Blackstone Group in New York is taking a new look at what’s considered reasonable care in protecting information.

“Today, I would say advanced threat detection capability is foundationally part of your core stack – it’s one of the first things you do,” because of the ever-changing threat landscape, Leek says.

Defining what is reasonable care when it comes to information and systems security is one of many questions on IT leaders’ minds after the Third U.S. Federal Circuit Court ruled in August that the Federal Trade Commission can sue organizations that have poor IT security practices, especially companies that have had more than one security breach that compromised customer data.

[ ALSO ON CSO: Court: FTC can take action on corporate data breaches ]

The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing $10.6 million in loss due to fraud. The court said that companies must exercise reasonable care in securing their systems.

The FTC’s power to sue for lax security is not necessarily new, and in fact dozens of companies have been held accountable by the commission in recent years, but they have quietly settled out of court by signing consent decrees that promise to clean up their act, says Michael R. Overly, a partner and intellectual property lawyer focusing on technology at Foley & Lardner LLP in Los Angeles. Wyndam was the first organization in almost a decade to challenge the FTC in court and reaffirm its power, he adds.

“This new attention [to the FTC’s power] is good because companies need to understand that it’s not about ‘now we need to fix things because we’ve been hacked,’ or they’re simply suffering from some adverse publicity,“ he says. “My hope is that this points out to businesses that they need to be more proactive.”

In 2006, the FTC imposed a $10 million fine on data aggregator ChoicePoint, the largest civil penalty ever levied at the time by the agency, for the highly publicized security breach that the company had disclosed a year earlier. The FTC charged that ChoicePoint’s security and record-handling procedures violated consumers' privacy rights. The settlement was also the first in which the FTC had fined a company in connection with a security breach.

Since then, the FTC’s goal has been to help correct and not necessarily punish companies for lax security “unless it’s egregious,” Overly says, but that doesn’t mean security teams can relax.

Security leaders and legal experts offer four important takeaways from this latest ruling.

1. CSOs must evolve with the changing definition of ‘reasonable care’

“You’ve definitely got to stay on top of threats and think about what controls and capabilities that you need to deploy (including running programs that have continuous improvement) and really keep close tabs on the current threat landscape,” Leek says.

Blackstone has created its own security stack for the 100 companies in its portfolio, he says. “It’s a risk-based programmatic approach to developing an information risk and security program, with a methodology that they’re able to refer to and follow.”

About a dozen Blackstone companies began implementing the stack in mid-2014, but it was officially launched across its entire portfolio in May. “It’s pretty new, and it’s by no means perfect, but we’re trying to give some good guidance on how to do things,” Leek says.

Perfection is not the requirement of the FTC, Overly says. Rather, companies are required to do what is reasonable and appropriate. “If a company has never changed the default password in their routers or never required employees to change passwords, for example -- those easy, fundamental things that companies should be doing -- that’s when the liability is going to come in,” he adds. “It sounds silly, but lots of companies do just that.”

2. Some industries still must define security standards

While some industries have their own standards of security through regulatory and compliance requirements, such as HIPAA, Gramm-Leach-Bliley or Sarbanes-Oxley, other sectors are just starting to define their own industry information security standards, which could help define reasonable care in the case of an FTC suit.

In July, the automotive industry, led by the Alliance of Automobile Manufacturers and the Association of Global Automakers, announced a new intelligence sharing and analysis center that will begin disseminating and exchanging cyber threat information later this year. Organizers say the ISAC will provide a central hub for cyber threat information and analysis, as well as bring insights on the current threat landscape.

“While they have a lot of work to do, they are getting ahead of it,” says Sedar Labarre, vice president at Booz Allen Hamilton and a leader in its commercial business, with a focus on cybersecurity. ISAC is just the tip the iceberg, he says. “By no means does it replace what needs to be done internally in each of these companies,” Labarre says. Complicating matters, automakers can’t find enough workers experienced in both cybersecurity and automotive technology, he explains. “They’re working to figure out how do we train and get people in the industry to build those internal capabilities.”

3. Keep closer tabs on third-party contractors’ security practices

A third of all security breaches suffered by retailers were linked back to compromises via third-party vendors, according to BitSight Technologies.“You need to be more careful about your third-party agreements and address information security with those third parties,” Overly says.

Target told reporters in 2014 that the initial intrusion into its systems that led to a massive data breach was traced back to network credentials that were stolen from a third-party vendor, a refrigeration, heating and cooling subcontractor that had worked at several Target locations. Home Depot, CVS and Costco have also pointed to third-party vendors as the culprits in their data breaches.

4. The buck stops with executives to increase security budgets

One silver lining from the ruling might be that security leaders finally have the leverage they need to beef up budgets for security programs.

In higher education, for instance, IT departments are always fighting for a portion of the budget for security, but it’s hard to convince the board that security directly benefits its core missions of education and research, says Quinn Shamblin, former CISO at Boston University.

“We’re able to make a much stronger connection between the value of security and core missions than we were a couple years ago because millions of dollars of research is being stolen every year due to poor security practices,” Shamblin says. The FTC ruling puts more responsibility on executives and board members to improve security, through bigger budgets or staffing, and to prevent breaches.

“By making organization and the actual strategic and financial leaders of those organizations directly responsible for ensuring security practices – you have a better chance of making sure that risk is being talked about around the conference room table,” Shamblin says.

While the FTC ruling’s bark may turn out to be worse than its bite, it does serve as a reminder that companies must keep up with the changing threat landscape.

“Information security has changed a lot, even in the last two years,” Overly says. “Companies who are managing by waiting for the next disaster are going to find themselves to be the people the FTC will be talking to.”

Join the CSO newsletter!

Error: Please check your email address.

More about Booz Allen HamiltonBoston UniversityCSOCVSFederal Trade CommissionFTCHome Depot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place