I will admit to being somewhat of a comic book aficionado as well as a lover of all things automotive. Those two worlds collided in my brain this week when reading about a federal court’s decision to uphold the Federal Trade Commission’s authority to pursue actions against companies that have committed “unfair” or “deceptive” data security practices.
Here, the FTC had brought a lawsuit against various Wyndham Hotels entities, arguing that its failure to provide “reasonable and appropriate security” for data collected from its customers constituted an “unfair” practice. Wyndham fought back, saying that the FTC had no authority to pursue its action. A U.S. District Court disagreed with Wyndham, and decided that the FTC did in fact have such authority and could continue its suit against Wyndham.
So what does this have to do with comic books and cars? Two things. First, the FTC—for now—has wide latitude to assert that companies failing to provide “reasonable and appropriate data security” can have claims brought against them for unfair or deceptive practices. This reminds me of Ben Parker’s legendary advice to his nephew Peter (a/k/a Spider-Man): “With great power comes great responsibility.” The FTC now has great power in its hands to shape cybersecurity behaviors of companies, and it needs to use it wisely.
Second, with respect to cars, companies that claim to greatly improve gas mileage or automobile performance without any substantial evidence to back up their claim are a favorite enforcement target of the FTC. Fellow readers of monthly car magazines no doubt recall seeing innumerable ads that claimed items like magnets or “intake vortex” devices will dramatically improve a car’s fuel efficiency. Such claims have regularly been shown to be bunk, and the FTC has not been shy about pursuing unfair or deceptive claims against the manufacturers of those devices. No doubt this will also hold true going forward with respect to companies claiming to have the answer to our cybersecurity woes.
First, let’s start with a bit more detailed review of why the FTC needs to be careful with its newly affirmed authority. When it comes to certain types of claims, such as mileage or health benefits, it is fairly easy to determine whether they are accurate or not.
Cybersecurity as we know, however, is anything but clear cut. This is especially true when it comes to determining whether the cybersecurity actions of a company were “reasonable” and “appropriate”. The fact is that there are so many variables at play that this could easily be a constantly moving target, and the FTC will have to keep in mind how quickly the cyber threat can morph before it declares that a company acted in an unfair and deceptive manner.
The world of cyber-crime and attacks is a tough one for sure. There are a variety of players, ranging from nation-states and organized crime to amateurs looking to cause a little chaos—each of which have different skills and motivations. The truth is that what constitutes “reasonable” and “appropriate” data security will depend on part on the value of the information being protected. To put it bluntly, not every company can or should create a cyber-Fort Knox to protect data. Defensive tools can be extraordinarily expensive, but ultimately incapable of stopping every threat.
So, it is up to the FTC to exercise “great responsibility” when deciding whether to take enforcement action against a company that has suffered a cyberattack. Careful balancing tests should be followed. For instance, if an employee makes off with a tremendous amount of valuable data, the FTC should consider whether sufficient controls were in place to protect that data, as well as whether “data loss prevention” tools were in place. If the employee used creative tactics to circumvent such protections, then I’m not so sure they would be guilty of an unfair or deceptive practice. After all, even the federal government could be vulnerable to such an attack (*cough* Edward Snowden).
Alternatively, the FTC should not be reticent to bring an action just because the attacker used advanced malware. There are plenty of reasonably affordable and implementable tools available to protect against such attacks, including “whitelisting” (locking down systems so only certain actions may occur) and “non-signature” based defenses like the one my client FireEye manufactures. Now, of course, if a foreign military spent considerable time and effort to circumvent those devices, then I would say the FTC should be a little more lenient.
My point here is that this is a subject area that requires careful consideration and exercise of discretion by the FTC. After all, not every breach is equal.
With respect to false or misleading claims like those often associated with less-than-scrupulous aftermarket automobile parts devices, the decision in the Wyndham matter should put many companies on alert. I am not just talking about companies that hold personally identifiable information; I am also referring to cybersecurity product manufacturers and service providers.
It is easy to slip into superlatives when describing one’s products or capabilities. Many companies like to talk about how their cybersecurity products or services are “cutting edge” or are a comprehensive solution to cyberattacks. Be careful, however. The FTC is excellent at ferreting out such language, and as Wyndham and others will tell you they will not be hesitate to call into questions your assertions.
Practically speaking, what does this mean? First, companies that hold data or make representations about their effectiveness of security policies to protect information they possess need to carefully review the language used in such statements. Over-promising regarding security capabilities or measures will not be a good choice, because when a breach occurs (and remember, it will occur) that will be fodder for the FTC enforcement officials.
Second, companies offering cybersecurity products or services need to be especially careful about representations regarding the capabilities of their offerings. There are many different offerings out there, and often times companies like to talk about how they offer a “silver bullet”. The thing about silver bullets is that they really don’t exist, so companies need to be careful to accurately portray how their offering works. More importantly, they need to be careful to discuss what their products cannot do. Now, there is a careful balance here too, as one does not want to advertise weaknesses lest criminals take advantage of such knowledge, but at the same time a company should be careful not to overstate its ability to defeat cyberattacks.
Ultimately, the FTC’s decision to take action against alleged unfair or deceptive data security claims needs to be grounded in reality. Not every breach is the fault of the victim, and will in fact require a careful review to determine whether “reasonable” actions are taken. This will have to involve nuanced discussions between professionals, lawyers, and business leaders. At the same time, cybersecurity companies need to start carefully monitoring their representations about capabilities, lest they find themselves on the wrong end of an enforcement action.
Finally, let’s all remember that the FTC decision with respect to Wyndham is not an indictment of Wyndham’s actions. Much work remains to be done to determine whether in fact Wyndham acted unreasonably or inappropriately, and it may well be that Wyndham is found to have acted properly. The facts and circumstances will play themselves out in that regard.
The FTC needs to act in a manner consistent with the great responsibility it has been handed. The last thing we need at this time is every breach being cast as a failure, as that will result in cyber-paralysis. That is not a good result under any circumstances.
Brian Finch (@brianefinch) is a partner at Dickstein Shapiro LLP. He can be reached at firstname.lastname@example.org.