United States: FTC Shares Perspective On NIST Cybersecurity Framework And "Reasonable" Security

Christopher Cwalina is a Partner and Kaylee Cox is an Associate in the Washington D.C. office

In its recent blog post The NIST Cybersecurity Framework and the FTC, the Federal Trade Commission (FTC) shed light on how it views the NIST Cybersecurity Framework when evaluating the reasonableness of companies' data security practices.  Addressing inquiries as to whether compliance with the Framework meets the FTC's "reasonableness" standard in data security enforcement actions, the FTC emphasized that the Framework is not a standard or checklist and does not include specific requirements or elements.  Therefore, the FTC reasoned, there is no such thing as "complying with the Framework" for FTC purposes.

Importantly, however, the FTC asserted that the approaches of the Framework and the FTC are wholly consistent.  Highlighting that risk assessment and mitigation are at the Framework's core, the Commission acknowledged that the Framework calls for companies to evaluate the same types of practices that the FTC "has been evaluating for years" when determining the reasonableness of organizations' data security processes. 

Specifically, the FTC identified several parallels between the Framework's five functions—Identify, Protect, Detect, Respond, and Recover—and the alleged deficiencies by companies that the Commission has challenged in past data security enforcement actions:

• Identify—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. 
  
  The FTC noted that it has brought several cases for organizations' failure to take reasonable steps to assess and address security risks, such as:
  
  
  • failure to implement policies and procedures to safeguard consumer information; and
  • lack of process for receiving, addressing, or monitoring reports about security vulnerabilities.
    
    
• Protect—Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 
  
  Practices that have served as the bases for FTC actions that correspond with the Protect function include:
  
  
  • granting system admin rights to a large portion of the employee population; and
  • failure to adequately protect data in transit (e.g., laptop and portable media thefts).
    
    
• Detect—Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. 
  
  The FTC correlated the following practices identified in past enforcement actions with the Detect function:
  
  
  • failure to use an intrusion detection system;
  • failure to monitor system logs for suspicious activity; and
  • failure to inspect outbound traffic to identify unauthorized disclosures of personal information.
• Respond—Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. 
  
  The FTC provided several examples from prior enforcement actions of companies' practices relating to the Respond function:
  
  
  • failure to follow proper incident response procedures;
  • failure to monitor for threats and vulnerabilities attributed to prior incidents;
  • failure to provide adequate notice to consumers about security risks and mitigation tactics; and
  • failure to take appropriate steps when a breach happens, particularly with respect to containment and communication protocols.
• Recover—Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
  
  The FTC emphasized the importance of consumer interests in the development of a recovery plan and pointed to prior FTC orders that aligned with the Recover function, focusing primarily on the need to communicate recovery activities with internal and external parties.

Although the Framework was originally drafted for the Critical Infrastructure sector, the FTC stressed that all companies may benefit from leveraging the Framework to improve risk-based security.  The Commission also encouraged organizations to review its Start with Security publication, which summarizes lessons learned from FTC data security cases.

The FTC's position on the NIST Cybersecurity Framework is consistent with the well-accepted principle that cybersecurity risk management is not a check-the-box process, nor is there a one-size-fits-all solution.  Maintaining a robust and reasonable information security program is an ongoing process, which requires continual attention and efforts.  While implementing the Framework alone likely will not result in wholesale immunity from FTC enforcement actions, it can help to mitigate the risk of committing many of the poor security practices that frequently serve as the bases for alleged Section 5 violations.  In addition, the FTC's perspective on the NIST Cybersecurity Framework suggests that consistent implementation of the Framework can help demonstrate that an organization has prioritized its cybersecurity program and may also serve as evidence of efforts to achieve reasonable security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.