On August 31st and September 7th, 2016, the Federal Trade Commission (FTC) provided guidance regarding cybersecurity standards, which companies should consider when assessing their current data security posture.
NIST Framework Compliance Is Not Enough
On August 31st, the FTC published a blog post that answered the question: “If I comply with the NIST Cybersecurity Framework (Framework), am I complying with what the FTC requires?” The answer: no. But even so, the blog post offered helpful guidance to businesses by endorsing the Framework as a model for risk assessment and mitigation.
The FTC blog discussed the background of the Framework – an executive order issued by President Obama in 2013 directing the Department of Commerce’s National Institute of Standards and Technology (NIST) to develop a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks. The NIST did so by issuing the Framework in February 2014. The Framework provides organizations with a risk-based compilation of “Core” practices – Identify, Protect, Detect, Respond, and Recover – which offers a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each practice is further divided into categories tied to programmatic needs and particular activities. The blog offered examples of actions the FTC has taken when companies had failed to implement appropriate data security practices emphasized under the Framework. For example, it noted that in its action against Twitter, Inc., the FTC alleged that the company provided administrative control over its system to almost all of its employees, which violated the Framework’s Protect function.
So why does the FTC reject “compliance” with the Framework as being sufficient to satisfy FTC requirements? The FTC says that the Framework “is not, and isn’t intended to be, a standard or checklist.” Instead, “[i]t’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program.”
The FTC concludes that the Framework should be used as a model to conduct risk assessments and mitigation. For example, determining whether a company has certain Core practices under the Framework is a similar evaluation the FTC makes in Section 5 enforcement actions to determine whether a company’s data security and its processes are reasonable. In that sense, the FTC says, “the Framework and the FTC’s approach are fully consistent.”
Looming Ransomware Enforcement Activity
In a speech on September 7th at the FTC’s Fall Technology Series on Ransomware, FTC Chairwoman Edith Ramirez warned that a company’s failure to adequately patch vulnerabilities that allow ransomware attacks could subject the company to an enforcement action. The FTC is “eager to expand” its understanding of the growing threat of ransomware – a type of malware that encrypts a company’s valuable digital files and demands a ransom to release them. Ramirez further emphasized the FTC’s unique role in protecting businesses and consumers from ransomware.
The FTC’s blog and recent statements provide businesses with further guidance not only for defending or handling a cyberattack, but also potentially avoiding an enforcement action by the FTC. In using the Framework as a model, companies should also make sure that their Core practice of identifying risks includes patching vulnerabilities that allow for ransomware attacks.
Stay tuned for further developments.