In June, the Federal Trade Commission (FTC) released a guide to help companies navigate the murky waters of data security. The guide follows a long line of FTC enforcement actions on data security. The IAPP Westin Research Center recently released a comprehensive look at such enforcement actions and what they’ve taught us over the years; however, a common complaint from industry has been, if perhaps less succinctly, “You’re willing to come after us for breaking the rules, but we don’t really understand what your rules are.”
In FTC v. Wyndham, Wyndham Worldwide Corporation in fact said the FTC doesn’t even have the authority to regulate data security—a case still pending in court.
The agency’s 54 security-related enforcement actions seem to say otherwise, however.
The FTC's new guidance, "Start With Security," highlights 10 places it recommends organizations focus their efforts. They’re broad categories like “control access to data sensibly” or “secure paper, physical media and devices,” for example.
Is that kind of advice really what industry was looking for?
David Shearer, CEO of (ISC)2, said although the 10 areas are "a good start, they are a little basic in nature." Shearer said he applauds the FTC for taking a stand on best practices and data security, but, from a privacy perspective, the guidance would benefit from including more on how to handle personally identifiable information.
"More specificity is required when recommending that organizations simply not collect information they don't need. Sometimes it's not that simple to make such a determination," he said.
Chris Wolf of Hogan Lovells said it’s more than some regulators do.
“The FTC plays a distinctive role among regulators around the world by providing businesses with guidance and training on how to protect personal data. Some regulators, such as those in the EU, view their roles as enforcement-only and actively refrain from providing guidance and training,” he said. “The FTC should be applauded for helping businesses avoid data events and not just enforcing against businesses after a data event occurs.”
Kirk Nahra, CIPP/US, of Wiley Rein agrees that it’s a useful document, but he said there are a couple of factors at play in its release. On the one hand, the FTC is trying to give companies helpful and useful information. But the guidance is a little self-serving, too.
“If they had come out with this document 10 years ago, Wyndham wouldn’t be able to say, ‘We didn’t know what you were talking about,’” Nahra said.
Nahra said such a document could be seen as somewhat harmful to the FTC's case in that, ostensibly, the courts could look at the FTC and say, "If you’d done this before, we couldn’t be having this Wyndham discussion."
Lee Aber, CIPT, is vice president of security and risk management at ID.me, a digital identity management network. He said if everyone was looking for the guide to be something worthy of a solid 10 on a rating’s scale, it realistically is more like a five.
It does give businesses a “closer road map” to what the FTC is looking for on data security, but it leaves much to be desired, he said, noting, “I would expect much stronger guidance on encryption, for example.”
While the guide mentions the word “encryption” eight times, it’s generally within the context of what various organizations that the FTC has come down on did improperly rather than specific ways or instances in which encryption should be used.
JC Cannon, CIPP/US, CIPM, CIPT, of Assertive Privacy, a consulting agency, said he would’ve also liked to see a bit more nuanced language on things like the latest version of Secure Sockets Layer encryption, for example.
But Chris Cwalina, CIPP/US, of Holland & Knight, who advises businesses from small community banks to giant financial institutions, said no guide or framework or standard is ever going to be the Bible for any organization. That is, no singular set of standards is going to apply comprehensively to every company. There's too much room for disparities between individual companies' data collection practices.
That’s something Joseph Calandrino, a technologist—who specified his views are his own and not his company’s—can get behind. He said from a technologist’s perspective, the guide does set forth principles that can meaningfully strengthen business against a broad range of threats. And of course some businesses would hope for a “detailed checklist of technical recommendations that would prevent FTC scrutiny,” but how would that even be possible?
“The variety and rapid evolution of threats would render such a list incomplete and obsolete almost immediately,” he said.
Cwalina said he tells his clients, “There’s no one-size-fits-all” on data security. “It’s always a different calculation because it’s always a different risk analysis, a different risk tolerance based on different types and amounts of information.” And more than that, the way he’d advise a healthcare company is going to be far different than how he’d advise a financial company, he said.
However, he added, the guide hits on some of the common-ground elements organizations should be thinking about and helps to give an idea of where the FTC is focusing.
Cannon agrees. He said if nothing else, following the guide is risk mitigation. If it was his organization, he said, he’d go through the guide and check off what of the list of suggestions was already being done but then scale it to the degree necessary for that particular organization's needs.
“The biggest thing is, you don’t want the FTC to open an investigation on your company and you haven’t done any of these things,” he said. Should the FTC investigate, organizations that have taken steps to have a sufficient data security plan in place that follows, in particular, those steps outlined in the guide will be shown leniency, he believes.
Calandrino said one detail tucked away in the guide that privacy pros might find helpful is the link to the Open Web Application Security Project, which provides security guidance. “To avoid falling behind, businesses may wish to seek out and regularly check relevant domain-specific guidance like this,” he said.
In the meantime, privacy pros wait to see what will happen with the Wyndham case for a company that—it may result—could have used an FTC guide way back when. Or maybe not.
If you want to comment on this post, you need to login.