At the end of August, the Federal Trade Commission (FTC) put out a press release announcing a new blog post about the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), and its impact on all companies. The Framework was originally developed for critical infrastructure, but the FTC believes that the Framework is consistent with the “process-based approach” the FTC has taken in its data security law enforcement actions (which do not pertain exclusively to critical infrastructure, but rather a broad swath of companies), as well as its previous guidance to businesses, such as its Start with Security publication. The FTC also states its belief that “compliance” with this Framework does not constitute any sort of safe harbor. Though this Framework does not set a data security standard, the FTC’s blog post strongly suggests that companies should refer to the Framework’s “core,” which addresses a number security practices, in managing information security risk and, more broadly, in building—and reviewing—their cybersecurity programs. In that regard, the reliance on a Framework developed for critical infrastructure is also another example of regulators ratcheting up expectations for what constitutes “reasonable” security.
Background on the NIST Cybersecurity Framework
Executive Order 13636 (Order), which was released on February 12, 2013, directed the U.S. government to take a number of steps to protect the critical infrastructure from cyber threats. As part of the Order, NIST was directed to issue (and periodically update) a “cybersecurity framework” that includes a set of standards, methodologies, procedures, and processes to address cyber risks for critical infrastructure. NIST released a draft outline of a cybersecurity framework on July 1, 2013, and then issued the framework itself in February 2014. One of the main questions non-critical infrastructure companies have had regarding the framework is whether it is relevant to their cybersecurity efforts.
The Framework is not a data security standard like NIST SP 800-53 but rather a “risk-based approach to managing cybersecurity risk.” While it is composed of three parts, the FTC’s blog post focuses on the Framework Core, which is “a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.”
The FTC notes that even though the Framework was ostensibly drafted for critical infrastructure, it is worthwhile “for most organizations” because of its goal of improving risk-based security. In addition, the FTC believes that the Framework offers additional benefits, such as fostering collaboration and communication between IT staff and business personnel because of its use of a common, non-technical language. Nevertheless, the blog post appears to overlook the implications of imputing security expectations for critical infrastructure to other types of enterprises. That is, the FTC has consistently insisted that to be “reasonable” an information security program must, among other things, be commensurate with an entity’s size and complexity and the nature and scope of its activities. Here the FTC seems to be disregarding these concepts and suggesting that all enterprises must have an information security program commensurate with the programs of entities that are critical infrastructure.
The Framework Core describes five activities, or “functions”:
In the Framework, categories and sub-categories articulate the implementation of each function. For example, the category “Asset Management” sits within the Identify function, and then the subcategory describes components of asset management, such as maintaining an inventory of the organization’s physical devices and systems. These types of information security concepts are consistent with other security approaches, such as NIST SP 800 and the CIS Critical Security Controls, and the expectations of other regulators such as the California Attorney General.
How the Framework Relates to the FTC’s Data Security Enforcement Regime
The FTC states, in its blog post, that these five functions “signify the key elements of effective cybersecurity.” Thus the FTC appears to believe that companies can use the five core functions of the framework as a “model” for conducing risk assessments and mitigation, and then to either establish or improve their data security programs. While it is not explicit, there appears to be a strong implication in the blog post that an organization will be able to more effectively demonstrate to the FTC that it has “reasonable” information security program if it applies the risk management approach presented in the Framework “with a reasonable level of vigor.”
To enforce this point, the FTC explains that the framework is “fully consistent” with the FTC’s approach to data security. In other words, “[t]he types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable.” To drive home the point, the FTC provides examples of how its previous data security enforcement cases map to issues related to each of the five functions of the Framework core.
Related to the “Identify” function, for example, the blog posts notes that the FTC’s cases against HTC America and TRENDnet included allegations that the companies did not have a process for assessing and remediating security vulnerabilities. Thus, consistent with the concept of the Identity function, “the FTC’s cases have sought to ensure that companies are taking reasonable steps to identify vulnerabilities and threats to determine the risk to consumers’ personal information.” Similarly, the blog post cites cases relating to the “Protect” function, including Accretive Health, in which the companies failed to protect information by transporting media with personal information without appropriate controls in place.
With respect to the “Detect” function, the FTC cites to cases in which it alleged that companies did not have in place intrusion detection systems and did not monitor logs for suspicious activity, such as Dave & Buster’s. And, under the “Respond” function, the FTC notes that it has brought cases that alleging a failure to “execute and maintain reasonable response processes and procedures,” such as Wyndham. In this case, as alleged by the FTC, the company did not monitor for malware that was used in a previous breach of the company’s network. Finally, the FTC appears to stretch one of its cases into the “Recover” function by suggesting that a requirement in a recent Order that a company provide notice to its customers about a vulnerability issue demonstrates the importance of returning to normal operations after a cybersecurity event. The idea here appears to be that organizations should consider, in their recovery plans, communications with internal and external parties regarding recovery activities.
The blog post explains that, just as the Framework is a compilation of practices to improve risk-based security, the FTC believes that “security is a continuing process of detecting risks and adjusting one’s security program and defenses.” The blog post suggests that the FTC believes that the Framework provides an outline of “fundamental security practices” to protect consumer information and, in turn, avoid FTC enforcement. As a result, the FTC’s citing to the Framework could signal the FTC’s intention to begin to apply a critical infrastructure approach to non-critical infrastructure, and thus to redefine what it means for any enterprise to have “reasonable” security regardless of its size and complexity or the nature and scope of its activities.
 See, for example, our Client Alert on the California Attorney General’s most recent data breach report and the position that 20 controls in the Center for Internet Security’s (CIS) Critical Security Controls define a “minimum level” of information security.