What, exactly, should your business do to protect itself from a Federal Trade Commission enforcement action for failing to use reasonable precautions to ensure data security for your customers’ sensitive, private information? In our last post we discussed the difficulty involved in complying with a standard for which no specific regulation has been promulgated; the statute which forms the basis of the standard is amorphous, especially when applied to data security; and the binding case law to which it is recommended that you turn, is nascent, if not non-existent. In this post, we will examine what businesses can and are doing to protect themselves, by taking what little guidance is available and making it work, on their own.
Perhaps the best guidance as to what your business must do comes from the Wyndham case we have spent so much time analyzing, which officially is entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. The April 7, 2014 decision of U.S.D.J. Esther Salas, which denied the motion to dismiss brought by one of the defendants, Hotels and Resorts, went to great lengths to point out the available sources of guidance in the absence of specific regulations for data security requirements. In our last article, though, we pointed out the problems of relying for guidance on some of the sources recommended by the court: inchoate case law, which is in its infancy and, at best, incomplete, and on a statute designed to leave a regulatory agency significant flexibility to assert its enforcement power, and which was enacted before the need for data security, or cybersecurity, even was conceived.
The other sources of guidance referred to by the court in the Wyndham case include the FTC’s public complaints, consent agreements, business guidance brochure, and public statements. Even the court, however, admitted those are not controlling, but are only persuasive, authority.
The last sources of guidance approvingly mentioned by the court in the Wyndham case are industry standard practices and commercially reasonable efforts to ensure data security. If a business, or group of businesses, can define those terms, so that they actually mean something concrete, then they should be effective in defending against claims that a business did not go far enough to ensure the security of its customers’ data.
Banding together to share information regarding threats and cybersecurity best practices, it seems, is exactly what some very well-known companies are doing. As we have previously written:
On May 14, 2014, the Retail Industry Leaders Association, with the reported backing of companies such as American Eagle Outfitters, Gap Inc., J. C. Penney Company Inc., Lowe’s Companies, Inc., Nike, Inc., Safeway, Inc., Target Corporation, VF Corporation and Walgreen Company, announced a joint effort to share information regarding cyber-threats and security. Named the Retail Cyber Intelligence Sharing Center, or R-CISC, it is designed as a way to allow retailers to enhance cybersecurity by sharing information about, and developing means to protect against, such threats.
The retailers’ emphasis on developing industry-wide best practices for data security is clear from their 5.14.14 press release, and goes beyond just sharing information amongst themselves:
RILA [the Retail Industry Leaders Association] has also consulted with recognized third-party cyber specialists and subject matter experts including CrowdStrike, FS-ISAC and other ISACs, IBM, iSIGHT Partners, Information Security Forum, the National Cybersecurity and Communication Integration Center (NCCIC), National Cyber Security Alliance and Verizon to identify leading practices related to threat information sharing.
These “leading practices,” if RILA’s members can develop, implement, and abide by them, would be significant evidence that the companies each took Reasonable Precautions to ensure the security of their customers’ data. The fact that they were developed by leading members of the industry with input from “recognized third-party cyber specialists,” would make them “Industry Standard Practices.” The fact that the companies each successfully followed those practices would make the practices “Commercially Reasonable.”
The retailers, however, went even further to demonstrate their commitment to data security. They also agreed to share information regarding threats and precautions with relevant government agencies. Again quoting from RILA’s May 14, 2014 press release:
In order to create a structure tailored to the needs of the retail industry, the R-CISC was developed with input from more than 50 of America’s largest retailers, and in consultation with key stakeholders including federal law enforcement, government agencies and subject matter experts.
“We have seen a sharp increase in the number of malicious actors attempting to access personal information or compromise the systems we all rely on, in the retail industry and elsewhere,” said Dr. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security National Protection and Programs Directorate. “We continue to work with the private sector to create shared situational awareness of potential cybersecurity vulnerabilities. The Retail Cyber Intelligence Sharing Center will further enhance DHS’s collaboration with this important sector of the American economy and will provide information and resources that can help companies keep their networks and the consumer information stored on them safe and secure.”
Paul Morrissey, U.S. Secret Service Assistant Director for Investigations said, “The Secret Service actively supports information sharing initiatives such as the Retail Cyber Intelligence Sharing Center (R-CISC) announced today by RILA. The Secret Service also continues its commitment to promote public/private partnerships through its 33 nationwide Electric Crimes Task Forces (ECTFs) and two international ECTF’s, which bring together over 6,100 private sector partners, members of academia and local, state and federal law enforcement.”
The Federal Trade Commission would be hard-pressed to say that Industry Best Practices developed by RILA with input from governmental agencies such as the Federal Bureau of Investigation, the Secret Service, and the Department of Homeland Security, were anything less than adequate. At least, that must be the hope of its members.
Think of the vast sums at risk when retailers’ payment systems are hacked. Think of the high costs involved in remediating the risk and compensating for the damage. Then think of the headlines this past holiday season, and the backers of this initiative. Taking these steps and developing standards, through their own efforts, might be considered a good insurance policy against FTC enforcement actions for lax data security practices, both those already brought and those not yet commenced. That, however, is a story for another day.
Go raibh maith agat