The recent news of former Uber Chief Information Security Officer Joe Sullivan being charged by the U.S. Federal Bureau of Investigation for concealing a data breach has sent shock waves throughout the security community. This extraordinary development, at its core, signifies the heightened level of sensitivity that is now attached to security leaders in honoring a company's data protection obligations.
Data protection risks and security
Scrutiny of security and privacy practices, particularly of technology companies, has been on the rise in a post–EU General Data Protection Regulation and post–California Consumer Privacy Act world. Notably, the CCPA provides a private right of action, which allows California consumers to sue a company for failure to protect their personal information. The U.S. Federal Trade Commission can also bring actions for unfair or deceptive security practices. Given the high stakes, it is important for security leaders to connect data protection risks to the security agenda to better protect customer data and reduce the liability exposure for the company and its officers.
But where should the CISO begin?
It turns out, the clue is hiding in plain sight. It’s the concept that forms the basis of many class-action lawsuits and FTC actions: reasonable security. But while it is the legal standard companies are held to, its not always clear what reasonable security means.
Breaking down reasonable security
CCPA: Appropriate safeguards and beyond
The bulk of CCPA class-action lawsuits brought on behalf of consumers under the private right of action (Cal. Civ. Code § 1798.150(a)) tend to focus on a company's failure to put in place appropriate safeguards to protect personal information when it knows or should know that the risk of unauthorized access or disclosure is likely (Cal. Civ. Code § 1798.81.5(b)). This is also the allegation most relevant to the CISO within the context of reasonable security.
The Zoom class-action complaint, for example, cites the company's failure to protect "non-encrypted and non-redacted personal information from unauthorized disclosure."
Take note of the notice
While these lawsuits make headlines for potential CCPA liability, an important point is a prerequisite to provide notice to the company and allow it 30 days to remedy the issue before any monetary relief could be sought.
In a CISO's world, this is analogous to a responsible disclosure program, where security issues reported in confidence to the company by hackers can be made public if the company does not fix them within a reasonable time. The CISO should similarly recognize the notice period provided by CCPA as an opportunity to address the reported issue. If the company fails to do so, then it will have failed to establish its claim to reasonable security.
Recognize the scope of information
The scope of the appropriate safeguard requirement for a private right of action is much narrower than the general definition of personal information for CCPA purposes. Specifically, the private right of action under CCPA extends only to a predefined set of personal information (Cal. Civ. Code § 1798.81.5(d)(1)(A)). This set includes name, Social Security numbers, government-issued IDs, financial and medical information, and biometric data. It notably does not include IP addresses or any other attributes, such as device ID that could only indirectly identify a person when combined with other data.
Beyond appropriate safeguards
Lack of appropriate safeguards, while the most common, is not the only CCPA claim a company can face. Alternate theories of liability, such as unfair or unlawful business practices under other statues, such as the California Unfair Competition Law or FTC Act, may also come into play to give rise to misrepresentation claims, as discussed in the next section. In fact, the Clearview AI class-action complaint relies on violation of the UCL as the underlying cause of action in its CCPA claim against the company. The Zoom class-action complaint also included a misrepresentation claim.
Thinking beyond the CCPA and private right of action is a good segue into the FTC Act to continue the discussion on reasonable security.
FTC Act: 'Unfair and deceptive' practices
The FTC has stated, and most CISOs already believe, that there is no one-size-fits-all data security program. The mere fact that a breach occurred does not mean that a company has violated the law or will be subject to FTC action. However, repeated occurrences of failing to meet security obligations will be seen as an indicator of a lack of reasonable security.
So, what would reasonable security look like to FTC?
This question can be answered by looking at what reasonable security is not, based on the case history of FTC decisions against companies that were found to be lacking reasonable security. While sometimes questioned for its authority, such as in the LabMD case, it does provide guidance on what steps companies can take to stay out of trouble.
Pay attention to bread-and-butter security
The most basic form of reasonable security comprises bread-and-butter security mechanisms. As noticed from the DealerBuilt settlement and Tapplock settlement, the FTC recognizes a company's failure to perform security scanning or testing to identify vulnerabilities or its failure to take steps to protect personal data stored on its network using means such as encryption as a lack of reasonable security.
The FTC recommendations have included implementing a written information security policy and training for employees, using security measures to monitor systems and assets, and imposing access controls on data appropriate for its sensitivity. CISOs can often meet these recommendations by aligning the company's security practices with an industry-accepted standard, such as the NIST Cybersecurity Framework.
Some more clues may be found in the California Data Breach Report. According to the report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. This is probably a good place for any CISO to look, not just those in California.
Recognize risks of third-party sharing
An important concern under the data protection laws is data sharing with third parties. This is where CISOs need guidance to navigate the data protection risks and connect them to the security agenda.
The Clearview class-action complaint is the most notable recent example of the risk of sharing personal data with third parties that goes beyond consumer expectations. Bayview Solutions invited FTC action for “unfair public disclosure of consumers’ sensitive personal and financial information” by posting on its website “unencrypted, unprotected Excel spreadsheets.” Such action not only goes beyond reasonable consumer expectations but also demonstrates a lack of reasonable security.
Avoid misrepresentation — do what you claim
Misrepresentation as applied to a company's security practices is commonly used as the underlying theory of liability when pursuing a claim for deceptive practices under the FTC Act. In the wake of the Ashley Madison data breach, the FTC’s complaint against the company cited no less than four different counts of misrepresentation, regarding areas such as network security, user profiles, terms and conditions for deleting profiles, and data security attestations. The FTC complaint against Uber, in the wake of two consecutive data breaches, also stemmed from charges that the company failed to live up to its data security claims, including misrepresenting the level of monitoring and protection that it provided to consumer and driver data. Implicit in the concept of misrepresentation is concealing a data breach, and the FBI charges filed against Uber's CISO subsequent to the FTC action suggest that security leaders are going to be held accountable for it.
Failure to disclose the existence of software during an install or upgrade process can also be construed as grounds for a misrepresentation claim. The FTC complaint against Oracle cited outdated, potentially insecure versions of the software being left behind without notice to the consumer during the upgrade process. The Electronic Privacy Information Center’s complaint to the FTC against Zoom cited the installation of a local web server without consumer’s knowledge. Keeping this in mind, CISOs should ensure that the installation or upgrade process discloses to consumers any type of additional software being installed or left behind on consumer’s devices.
Comply with statutory requirements
Finally, CISOs in heavily regulated industries, such as health care and finance, should always pay attention to their existing security compliance obligations. A case in point is the FTC's action against TaxSlayer, a financial institution subject to the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act. The FTC complaint cited the company's failure to comply with the statute as contributing to a security vulnerability on its site that was exploited in a data breach.
This is probably as close to a bright-line rule as can be for the FTC to establish a case against reasonable security. Just like a violation of a statute designed for the safety of users is considered negligence per se, failure to comply with a statute designed to protect the security of information will in a similar vein be recognized as a lack of reasonable security.
Conclusion
CISOs today must pay attention to the increasing data protection obligations when creating their security agenda. An understanding of reasonable security in this context helps them build the right foundation for their security program to mitigate data protection risks. Or else, they risk the consequences for ignoring to do so.
Photo by Philipp Katzenberger on Unsplash