TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | What’s Reasonable Security? A Moving Target Related reading: The Blind Men, the Elephant and the FTC’s Data Security Standards



“I can tell you,” Faruki Ireland & Cox trial attorney Ron Raether told the crowd at the IAPP’s Practical Privacy Series event in New York last week, “everyone wants to do what Wyndham is doing.”

The hotel conglomerate is the first to take the Federal Trade Commission (FTC) to the courts to litigate what “reasonable security” looks like, rather than reach a settlement agreement like the 40-odd companies before it. And while Wyndham and the FTC continue to throw punches in their heavyweight bout, it’s no wonder that IAPP Westin Fellow Patricia Bailin's recent study of the FTC’s history of enforcement actions was the subject of a highly attended KnowledgeNet meeting in New York City last Tuesday at the offices of Norton Rose Fulbright.

“I was impressed with this article,” said Daniel Kaufman, deputy director of the Bureau for Consumer Protection at the FTC, “and I’m not saying that just because Patsy’s sitting here next to me … We’ve been talking about what reasonable is for many years now, and I often say, ‘Look at the complaints,’ so I thought this was a very good compilation of the past decade and what is the conduct that has been unreasonable.”

From left: Daniel Kaufman, Omer Tene and Alex Yampolski at Norton Rose Fulbright, in NYC.

However, he noted that “reasonable” is very much a moving target. “It’s a process-based approach we’ve been emphasizing for many years,” Kaufman said, and what was reasonable in 2008 would no longer be sufficient today, as hackers have become highly sophisticated and the methods for preventing breaches have to match them. “We don’t think that it’s easy,” he allowed. “We realize that it’s time intensive, it’s costly, but it’s also very important and the law requires it.”

Further, Kaufman said, “I do want to emphasize that I don’t view any of these cases as close calls. They’re cases that reflect pervasive problems. It’s not like one problem with a laptop unsecured. It’s systemic and fundamental security oversight.”

So, what can CPOs or CISOs do with a study like this, which may not tell you what to do, but at least shows you what not to do?

“I think it offers a lot of common sense recommendations,” said Alex Yampolski, CEO at SecurityScorecard and a veteran of Microsoft and a host of other IT firms. “It’s like looking at the Verizon data breach report or seeing murder statistics, it’s the worst things that can happen." But some of the top reasons for breaches include "weak passwords, default settings and lack of training, and this report touches on a lot of those points.”

The risk, he said, is looking at this collection of mistakes and thinking you’re safe because your firm isn’t quite so systemically bad. Or even, he said, thinking that every firm has to spend a lot of money to set up extensive security in the first place.

“Sometimes you don’t need to focus on security awareness,” said Yampolski. “People would disagree, and say everyone needs to be aware, but it depends on your exposure, what data you deal with. The risk of a study like this is that people will say, ‘I need to do this and this,’ but really security needs to be tailored to the organization.”

What the study is great for, Yampolski adds, is advocating to the C suite if they’re not listening. “I think studies like this, when you’re a practitioner, these are your best allies. You go to a board team and say, ‘I need to spend 200k to limit employee access,’ and they say, ‘Why? Prove it to me.’ Now I can say, ‘Look, limit employee access. The FTC says so.’ This really helps. Citing things like that could be your biggest ally. This type of thing really helps me in my job.”

“I like that concept,” said Kaufman, “that when we bring actions it’s incredibly important to be able to say, ‘We need to make an investment here.’ So that every action we bring has a further effect beyond that."

Download the FTC Reasonableness Study

Download Patricia Bailin’s paper: What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices 

1 Comment

If you want to comment on this post, you need to login.

  • comment Alexander • Nov 12, 2014
    An effective information security (and privacy) program should always be based on people, processes and technology and should be a holistic approach. Picking only certain areas and ignoring others won't help you to achieve that goal. One need also to learn to be able to talk to the board or to senior management in a language they understand. Pointing your fingers to a study as a way to support your arguments might only increase your risk exposure.