Sep 162016

FTC Expounds on NIST Cybersecurity Framework; Invites Comment on GLBA Safeguards Rule

Colleen Theresa Brown and Christopher Eiswerth
, , ,

On August 31, 2016, the Federal Trade Commission published “The NIST Cybersecurity Framework and the FTC” on its blog. The post describes how, in many ways, the FTC’s enforcement actions are “aligned” with the NIST Cybersecurity Framework and that many of the Commission’s enforcement actions can be analyzed under the Framework’s five core principles. The post also makes plain, however, that a company’s compliance with the Framework is not necessarily required, nor is adoption of the Framework clearly sufficient to satisfy the Commission’s requirement that companies establish “reasonable” cybersecurity practices.

Five core principles or functions serve as the organizing structure of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. In much of the post, the FTC describes each of these functions and then uses its enforcement actions to illustrate the principles in play. For instance, the FTC reports that “[t]he Framework’s Detect function delineates various steps that organizations can take to develop and implement appropriate methods to identify the occurrence of a cybersecurity event in a timely manner.” These steps could include “monitoring information systems and assets at discrete intervals, and maintaining and testing detection processes and procedures to ensure timely and adequate awareness of anomalous events.” The FTC then notes that this principle similarly animated its actions against Dave & Buster’s Inc. and Franklin’s Budget Car Sales, in which the companies failed to erect “intrusion detection system[s],” “monitor system logs for suspicious activity,” and “inspect outgoing Internet transmissions to identify unauthorized disclosures of personal information.”

Throughout the post, the FTC emphasizes its consistent application of a flexible reasonableness standard, noting that while “NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s,” “the touchstone of the FTC’s approach to data security has been reasonableness”—not a particular “standard or checklist.” The post characterizes the Framework as “about risk assessment and mitigation” and “doesn’t include specific requirements or elements.” As a result, though the Framework can “serve as a model for companies of all sizes,” it is not a requirement to comply with FTC precedent, nor is it necessarily sufficient. The FTC will continue to determine whether a company’s practices are reasonable in a case-by-case fashion, and it directs the public to its Start with Security publication for further guidance. See Data Matters, Federal Trade Commission Releases Guide for Businesses on Data Security (July 13, 2015).

* * *

The Federal Trade Commission announced on August 29, 2016 that it would seek comments from the public on its Standards for Safeguarding Customer Information, commonly referred to as the “Safeguards Rule.” This rule, enacted pursuant to the Gramm-Leach-Bliley Act, “applies to all ‘financial institutions’ over which the Commission has jurisdiction.” 81 Fed. Reg. 61632, 61633 (Sept. 7, 2016). It requires these institutions to develop data-security protocols that limit unauthorized access to personal customer information.

The FTC originally promulgated the rule in 2003, and it now requests comment on a variety of general and specific issues. These include:

  • What modifications should be made to benefit consumers?
  • What modifications should be made to benefit business?
  • What are the costs of such modifications and how would they interact with other federal, state, and local laws and regulations?
  • Should the rule require certain aspects or elements in data-security programs?
  • Should the rule require companies to comply with a particular frameworks, such as the NIST Cybersecurity Framework or the Payment Card Industry Data Security Standards.

Various agencies share jurisdiction over financial institutions and thus have their own version of the Safeguards Rule. So, while any changes to the FTC’s rules may not directly impact all financial institutions, they are likely to spur similar changes in the other agencies’ rules and may be influential in other agencies’ interpretations.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Christopher Eiswerth

ceiswerth@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.