Our European colleagues like to tell me that the U.S. doesn’t have a proper cybersecurity regulator, and that we over-rely on the voluntary NIST Framework (which even the government wasn’t adhering to, until Trump’s Cyber EO). They’re wrong. The FTC is a shadow regulator on cyber, and it is impacting what businesses must do about cybersecurity. Most troublingly, it is doing so without clear standards and in apparent self-denial. This has wide-ranging ramifications: for the automotive industry for example, it is increasingly likely that FTC regulation will affect connected and autonomous vehicles, the healthcare industry, as well as the back-end systems manufacturers use to develop them.
Shadow regulations problematic
What I’m calling shadow regulations are regulations that are not regulations on the issue in question, per se, but rather something apparently unrelated that has a profound impact on the issue. Good examples come from the world of trade quite often: using national cybersecurity as a way of protecting local industry is an unoriginal way of getting around WTO agreements at this point. Indeed, it’s the sort of behavior the U.S. Government typically criticizes other major powers like China or India.
The Way the FTC regulates is problematic because it is based on a “call it like we see it” post-facto approach that increases risk and uncertainty for businesses. We’ve seen this pattern take shape over several cases in the past few years: D-Link, Wyndham, Ashley Madison, and ASUS are among the precedents establishing this pattern. Basically, the FTC finds out about a cybersecurity problem in a product or service and looks at what the other offerings in the market are doing about cybersecurity.
How exactly does cybersecurity fit into their scope of work? It’s a reach – but according to the FTC, they enforce a number of laws applicable to data security that cover a wide array of entities. The primary authority is the FTC Act, which prohibits unfair and deceptive acts. As applied to the data security area, the FTC Act requires that companies refrain from making deceptive security claims. A failure to have taken reasonable security measures also can constitute an unfair practice under the FTC Act. For example, if they find a company isn’t complying with the general standard in the industry, and not making it clear to customers, then they feel they have a right to prosecute under Article 5 of the FTC Act, which prohibits “unfair or deceptive business practices in or affecting commerce.”
FTC’s argument is that Article 5 allows them to prosecute companies that disclosed a cybersecurity posture that is lower than the rest of the industry. This was edified by the courts in FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015). The advantage for FTC in this case is that it can exert regulatory pressure on companies that they know are non-compliant with rules they have only now discovered and are eager to enforce.
This approach is always backwards-looking, and a company won’t know it’s violated these unwritten regulations until it’s dealing with a lawsuit. While there is certainly value in letting the market determine the kinds of security on offer, rather than proscriptive regulations that bind industry’s hands and reduce competition, a more collaborative approach with industry could solve the backwards-looking nature of the FTC’s oversight.
These adversarial regulatory actions don’t fall only on technology companies only. Indeed, the Wyndham case shows that the FTC will enforce its cyber regulations on any entity it feels has violated its unwritten best practices. It’s not hard to imagine a case in the not-too-distant future where an auto manufacturer has spent tens of millions to develop a new suite of connected car tools, only to be fined by the FTC because it hadn’t included features the FTC considered industry standard. The cost to the manufacturer would go beyond the fine and could have major reputational costs to the company. After all, we’ll soon be asking for cybersecurity ratings on vehicles right alongside the crash test ratings. This sort of regulatory risk is likely to slow innovation, not foster it.
Regulating cybersecurity without a clear mandate
FTC doesn’t have a dedicated cybersecurity regulatory mandate. In fact, if you ask FTC officials about it, the common response is “we don’t really do anything about cybersecurity, it’s not in our jurisdiction.” The problem is, several recent cases show this is simply not playing out in the real world:
D-Link: cybersecurity by design, but only after all designs are in play:
In January of this year, the FTC sued D-Link,1 a maker of home Wi-Fi routers and other home networking equipment because their products did not live up to the security design practices that most of the other major industry players had already adopted. However, the FTC hadn’t published such a list beforehand, deciding what was appropriate at the time after D-Link had shipped products around the world. The case is still pending, and unlike two prior cases which were settled out of court (ASUS and TRENDnet), it may lead to jurisprudence on cybersecurity design, marketing, and patching which will shape the FTC’s relationship with the IoT industry.