Enter to open, tab to navigate, enter to select
FTC Links Its Data Security Standards to NIST Cybersecurity Framework
Practical Law Legal Update w-003-3097 (Approx. 4 pages)
FTC Links Its Data Security Standards to NIST Cybersecurity Framework
by Practical Law Intellectual Property & Technology
| Published on 01 Sep 2016 • USA (National/Federal) |
The FTC has published guidance linking its reasonableness standard for data security to the voluntary National Institute of Standards and Technology (NIST) Cybersecurity Framework. The FTC emphasized that it has brought enforcement actions alleging lapses and entered into consent decrees with corresponding requirements in each of the Framework's core functions. The FTC urged companies to use the NIST Cybersecurity Framework as part of their risk-based data security programs.
On August 31, 2016, the FTC published a blog post linking its reasonableness standard for data security to the voluntary National Institute of Standards and Technology (NIST) Cybersecurity Framework. The FTC emphasized that it has brought enforcement actions alleging lapses and entered into consent decrees with corresponding requirements in each of the Framework's five core functions:
- Identify. The Identify function refers to developing and implementing policies and processes to understand a company's risks and prioritize cybersecurity activities. As examples, the FTC noted its complaints against CVS Caremark Corporation and Petco Animal Supplies, Inc. In both of those cases, the FTC alleged that the companies failed to implement reasonable data security policies and procedures to protect consumers' information. The FTC also highlighted cases alleging that companies failed to maintain processes for addressing security vulnerability reports.
- Protect. The Protect function focuses on developing and implementing appropriate cybersecurity safeguards. Many FTC actions allege that companies have failed to implement reasonable data security practices. As an example, the FTC noted its complaint against Twitter, Inc. where it alleged that Twitter increased its data security risks by giving almost all of its employees administrative access to the company's system.
- Detect. The Detect function includes developing and implementing processes to timely detect cybersecurity incidents. The FTC has brought several cases that highlight the importance of implementing processes to detect intrusions, including its action against Dave & Buster's, Inc., where the FTC alleged the company failed to:
- use an intrusion detection system; and
- monitor its system logs for suspicious activities.
- Respond. The Respond function refers to developing and implementing an action plan to respond to cybersecurity events and contain their impact. The FTC's oft-cited action against Wyndham Worldwide Corp. alleged that the company failed to follow reasonable incident response procedures leading to multiple security breaches and more than $10.6 million in credit card fraud. For more information on the FTC's action against Wyndham, see Legal Update, FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges.
- Recover. The Recover function focuses on restoring normal operations and making improvements based on lessons learned from cybersecurity events. The FTC highlighted the need to address consumer interests in recovery plans. For example, the FTC's consent order with Oracle Corporation required the company to provide users with Java vulnerability notices and remediation steps (see Legal Update, FTC Settles Charges Oracle Misled Customers about Java Security Updates).
The FTC urged companies to:
- Review its Start with Security guidance that summarizes ten lessons learned from FTC data security enforcement cases.
- Use the NIST Cybersecurity Framework as a model for:
- Assessing and managing data security risks.
- Establishing or improving their data security programs.
- Reviewing their current data security practices.
- Communicating their data security requirements and program status to stakeholders, including executives.