It may seem unjust to be held liable by the government when a breach was actually due to actions of a criminal. However, this is not the view of the 3rd Circuit. The August 24th, 2015 opinion by the 3rd Circuit Court of appeals in FTC v. Wyndham Worldwide Corp, et al (0:14-cv-03514) reinforces the government’s ability to enforce cybersecurity controls, without defining them.
Cybersecurity standards, such as the PCI-DSS, are helpful as they provide requirements organizations must meet. Meet the requirements and your Qualified Security Assessor will certify your organization as PCI Compliant. However, there are no specific requirements to become legally compliant. While HIPAA provides standards, its risk assessment requirement (45 CFR 164.308(a)(1)(ii)(A) and (B)) provides an open door, if you fail to identify and/or manage risks, you could be liable under HIPAA.
So how does an organization manage this legal exposure? The 3rd Circuit has provided some guidance:
- Look at cybersecurity publications by government regulatory and standards groups, like the Federal Trade Commission, the U.S. Department of Health and Human Services and the National Institute of Standards and Technology.
- Review enforcement actions by the regulatory agencies (e.g., FTC, HHS, OCR), including reviewing some FTC standards and HIPAA examples.
- Ensure your published privacy statements match your actual security practices.
- If you have had a breach, learn from it and correct the cause of the breach. While not an indication by the court, you should also look at the breaches of others, especially those made highly public.
At the heart of the FTC’s ability to regulate cybersecurity is fairness. While a somewhat broad concept, in this context, there is legislative guidance provided by 15 U.S.C. 45(n). The FTC cannot declare an activity unfair unless:
“The act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The 3rd Circuit interprets this as a cost-benefit analysis, to be compliant with 45(n), organizations need to weigh the:
“Probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity.”
Based on this guidance, every organization that holds customer data should perform a cost benefit analysis of its cybersecurity controls. Weigh the costs of a breach against the cost of implementing security measures. Look at the type of data you store. Is it cardholder data? Social security numbers? Patient health information? What costs would your customers incur if this information was released to criminals? Use recent examples, such as the $10.6 million from the Wyndham breaches, to help determine a number. Then look at what you are spending on your cybersecurity controls. If the gap between those two numbers cannot be reconciled, you may not be fair to your customers. This should be a formal, documented process, so you are able to provide clear evidence of your organization’s compliance with 45(n) when the FTC investigates your organization.
One of the most poignant quotes from the opinion, that highlights the current uncertainty in cybersecurity regulation, is the 3rd Circuit’s reference to Cf. Nash v. United States, 229 US 373, 377 (1913):
“The law is full of Instances where a man’s fate depends on his estimating rightly…”
Is your organization estimating its cybersecurity rightly? If you’re unsure or looking for assistance, Proficio can help you. With advanced SIEM technology, certified cybersecurity professionals, and ProSOC remediation services, we can help guide your organization through this uncertain regulatory environment.
*Disclaimer: The above content is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.