Bringing clarity to data breach legislation, enforcement

Sept. 1, 2015
Appeals court ruling endows FTC with power to regulate cybersecurity

Given the lack of laws and established court precedents nationally on issues involving cybersecurity combined with the rise of data breaches in recent years, concerns have been growing among security executives as to what the federal government may do to address the subject. While there has been a lot of discussion between lawmakers on both sides of the aisle about the need for creating a national standard for data breach notification, it seems the courts have beat Congress to the punch in addressing what companies who experience a cybersecurity failure could experience in the way of enforcement.

Last week, a federal appeals court ruled that the Federal Trade Commission has the authority to regulate cybersecurity measures implemented by organizations and that the agency can pursue a lawsuit it previously filed against hotel chain operator Wyndham Worldwide for failing to protect consumers’ information. The FTC sued Wyndham in June 2012 over breaches the company suffered in 2008 and 2009 in which hackers were able to steal the credit card and other data on more than 619,000 consumers.

Stu Sjouwerman, founder and CEO of IT security awareness training firmKnowBe4, believes this ruling could spur C-suite executives who haven’t taken cybersecurity seriously enough to take significant action within their companies to address it.

“This is a real wake-up call,” he said. “Now that the FTC has become a watchdog with real teeth, I’m sure that the legal department with HR and C-level execs are going to be sitting around the table and saying, ‘We really need to get this going because if we don’t, the government is going to come down on us like a ton of bricks.’”

Additionally, Sjouwerman said the ruling could also be bad news for any other companies that have suffered a data breach over the past several years as they could face a lawsuit from the FTC on top of any other litigation they currently may be embroiled in stemming from the incursion.  

While cybersecurity best practices have existed for years in the form of standards established by the National Institute of Standards and Technology and others, Sjouwerman said that no one has been willing to spend the money to comply with these recommendations. As any security practitioner would tell you, however, being complaint does not always equal being secured.

“You have to deploy reasonable measures that the rest of your industry also rolls out to safeguard customer data and so being compliant doesn’t really help much if you want to protect against hackers,” said Sjouwerman. “For instance, Target was compliant but look at what good that did so… focusing on compliance is basically a trap.”

Although many people are worried about the federal government overstepping their bounds and trying to enforce unreasonable IT security standards on companies, Sjouwerman believes that the ruling is actually good news for the security industry as a whole.

“The internet is, honestly, Swiss cheese and so it is high time people start realizing they have to deploy what we call defense-in-depth and if you don’t do that you’re in trouble,” he said. “With the FTC coming online, if you will, that trouble is going to be a lot bigger.”

Regardless of how robust your hardware or software solutions may be, Sjouwerman said the weakest link in IT security is always humans and that companies need to train their employees to be more aware of the threats they face online.

“One of the best things you can do is roll out a security awareness program that also sends people regular, simulated phishing attacks and also trains them like you normally do so that employees stay on their toes with security top of mind,” said Sjouwerman. “This is by far the best return on investment that you can get and you can actually run this pretty fast.”

Data Breach Legislation  

While the courts may have given the FTC cybersecurity enforcement powers, at least for the time being, the issue of federal data breach legislation remains very much influx. Earlier this year, the Obama administration introduced a bill that would create a national standard for data breach reporting requirements, but lawmakers have yet to take action on it. Even if Republicans and Democrats on Capitol Hill can come together and agree on some type of framework for a comprehensive cybersecurity bill, state attorneys general across the country have expressed a reluctance to give up their ability to enforce existing state laws that apply to data breaches and the subsequent penalties companies can face.

Despite their perceived differences, Michael Bruemmer, vice president of Experian Consumer Protection, believes the positions of the state attorneys general and the feds are very similar when compared against one another. Bruemmer said the top three reasons attorneys general want to keep state notification systems in place are: to protect consumers, preserve states’ rights and to maintain control over the process. Conversely, the federal government’s top priorities are:  simplifying the notification system, protecting consumers and retaining control of the process.

“Even though there has been this perception that the AGs and the feds are at odds, they are actually, I think, closer together, particularly from the AGs’ perspective,” said Bruemmer. “Although the AGs would like to keep their current system of 47 different state laws… the fact of the matter is the feds, as long as they’re not pre-empting some of the states’ ability to enforce and they have extensive protections for either the type of PII (personally identifiable information) or PHI (protect health information) that is exposed, they also have similar notification guidelines in terms of timing and reporting as well as the ability to clamp down on folks that don’t follow the rules.”  

Bruemmer said the last time he checked, there were up to six different pieces of data breach legislation at various stages in Congress. At the same time, however, the states have continued to update their laws and provide additional consumer protections. For example, Oregon recently enacted a law that requires public notification of a breach that involves more than 250 consumers. Connecticut also recently passed a law that requires organizations to provide at least 12 months of credit monitoring services to those affected by a data breach and provide notice within 90 days of the incursion’s discovery.    

If Congress does pass federal data breach notification legislation at some point, Bruemmer said companies still need to establish relationships with attorneys general in the states they operate.

“The AGs always want to be involved in the process. Even if federal legislation should pass, the AGs still need to be informed because it is their constituents that are going to be impacted by these notifications,” added Bruemmer.     

 Bruemmer said that any legislation passed at the state or even the federal level is really a secondary concern for many executives when it comes to protecting their businesses against hackers.

“They are more concerned about making sure that they don’t end up in the headlines because they haven’t made cybersecurity, employee and privacy training, and updating their technology a priority,” he said.

Click here to download a PDF copy of Experian’s most recent whitepaper on pending data breach notification legislation and the impact it could have on businesses.