FTC Expounds on NIST Cybersecurity Framework; Invites Comment on GLBA Safeguards Rule

On August 31, 2016, the Federal Trade Commission published “The NIST Cybersecurity Framework and the FTC” on its blog. The post describes how, in many ways, the FTC’s enforcement actions are “aligned” with the NIST Cybersecurity Framework and that many of the Commission’s enforcement actions can be analyzed under the Framework’s five core principles. The post also makes plain, however, that a company’s compliance with the Framework is not necessarily required, nor is adoption of the Framework clearly sufficient to satisfy the Commission’s requirement that companies establish “reasonable” cybersecurity practices.

Five core principles or functions serve as the organizing structure of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. In much of the post, the FTC describes each of these functions and then uses its enforcement actions to illustrate the principles in play. For instance, the FTC reports that “[t]he Framework’s Detect function delineates various steps that organizations can take to develop and implement appropriate methods to identify the occurrence of a cybersecurity event in a timely manner.” These steps could include “monitoring information systems and assets at discrete intervals, and maintaining and testing detection processes and procedures to ensure timely and adequate awareness of anomalous events.” The FTC then notes that this principle similarly animated its actions against Dave & Buster’s Inc. and Franklin’s Budget Car Sales, in which the companies failed to erect “intrusion detection system[s],” “monitor system logs for suspicious activity,” and “inspect outgoing Internet transmissions to identify unauthorized disclosures of personal information.”

Throughout the post, the FTC emphasizes its consistent application of a flexible reasonableness standard, noting that while “NIST’s Cybersecurity Framework is consistent with the process-based approach that the FTC has followed since the late 1990s,” “the touchstone of the FTC’s approach to data security has been reasonableness”—not a particular “standard or checklist.” The post characterizes the Framework as “about risk assessment and mitigation” and “doesn’t include specific requirements or elements.” As a result, though the Framework can “serve as a model for companies of all sizes,” it is not a requirement to comply with FTC precedent, nor is it necessarily sufficient. The FTC will continue to determine whether a company’s practices are reasonable in a case-by-case fashion, and it directs the public to its Start with Security publication for further guidance. See Data Matters, Federal Trade Commission Releases Guide for Businesses on Data Security (July 13, 2015).

* * *

The Federal Trade Commission announced on August 29, 2016 that it would seek comments from the public on its Standards for Safeguarding Customer Information, commonly referred to as the “Safeguards Rule.” This rule, enacted pursuant to the Gramm-Leach-Bliley Act, “applies to all ‘financial institutions’ over which the Commission has jurisdiction.” 81 Fed. Reg. 61632, 61633 (Sept. 7, 2016). It requires these institutions to develop data-security protocols that limit unauthorized access to personal customer information.

The FTC originally promulgated the rule in 2003, and it now requests comment on a variety of general and specific issues. These include:

  • What modifications should be made to benefit consumers?
  • What modifications should be made to benefit business?
  • What are the costs of such modifications and how would they interact with other federal, state, and local laws and regulations?
  • Should the rule require certain aspects or elements in data-security programs?
  • Should the rule require companies to comply with a particular frameworks, such as the NIST Cybersecurity Framework or the Payment Card Industry Data Security Standards.

Various agencies share jurisdiction over financial institutions and thus have their own version of the Safeguards Rule. So, while any changes to the FTC’s rules may not directly impact all financial institutions, they are likely to spur similar changes in the other agencies’ rules and may be influential in other agencies’ interpretations.