Our European colleagues like to tell me that the U.S. doesn’t have a proper cybersecurity regulator, and that we over-rely on the voluntary NIST Framework (which even the government wasn’t adhering to, until Trump’s Cyber EO). They’re wrong. The FTC is a shadow regulator on cyber, and it is impacting what businesses must do about cybersecurity. Most troublingly, it is doing so without clear standards and in apparent self-denial. This has wide-ranging ramifications: for the automotive industry for example, it is increasingly likely that FTC regulation will affect connected and autonomous vehicles, the healthcare industry, as well as the back-end systems manufacturers use to develop them.
Shadow regulations problematic
What I’m calling shadow regulations are regulations that are not regulations on the issue in question, per se, but rather something apparently unrelated that has a profound impact on the issue. Good examples come from the world of trade quite often: using national cybersecurity as a way of protecting local industry is an unoriginal way of getting around WTO agreements at this point. Indeed, it’s the sort of behavior the U.S. Government typically criticizes other major powers like China or India.
The Way the FTC regulates is problematic because it is based on a “call it like we see it” post-facto approach that increases risk and uncertainty for businesses. We’ve seen this pattern take shape over several cases in the past few years: D-Link, Wyndham, Ashley Madison, and ASUS are among the precedents establishing this pattern. Basically, the FTC finds out about a cybersecurity problem in a product or service and looks at what the other offerings in the market are doing about cybersecurity.
How exactly does cybersecurity fit into their scope of work? It’s a reach – but according to the FTC, they enforce a number of laws applicable to data security that cover a wide array of entities. The primary authority is the FTC Act, which prohibits unfair and deceptive acts. As applied to the data security area, the FTC Act requires that companies refrain from making deceptive security claims. A failure to have taken reasonable security measures also can constitute an unfair practice under the FTC Act. For example, if they find a company isn’t complying with the general standard in the industry, and not making it clear to customers, then they feel they have a right to prosecute under Article 5 of the FTC Act, which prohibits “unfair or deceptive business practices in or affecting commerce.”
FTC’s argument is that Article 5 allows them to prosecute companies that disclosed a cybersecurity posture that is lower than the rest of the industry. This was edified by the courts in FTC v. Wyndham Worldwide Corp., 799 F. 3d 236 (3d Cir. 2015). The advantage for FTC in this case is that it can exert regulatory pressure on companies that they know are non-compliant with rules they have only now discovered and are eager to enforce.
This approach is always backwards-looking, and a company won’t know it’s violated these unwritten regulations until it’s dealing with a lawsuit. While there is certainly value in letting the market determine the kinds of security on offer, rather than proscriptive regulations that bind industry’s hands and reduce competition, a more collaborative approach with industry could solve the backwards-looking nature of the FTC’s oversight.
These adversarial regulatory actions don’t fall only on technology companies only. Indeed, the Wyndham case shows that the FTC will enforce its cyber regulations on any entity it feels has violated its unwritten best practices. It’s not hard to imagine a case in the not-too-distant future where an auto manufacturer has spent tens of millions to develop a new suite of connected car tools, only to be fined by the FTC because it hadn’t included features the FTC considered industry standard. The cost to the manufacturer would go beyond the fine and could have major reputational costs to the company. After all, we’ll soon be asking for cybersecurity ratings on vehicles right alongside the crash test ratings. This sort of regulatory risk is likely to slow innovation, not foster it.
Regulating cybersecurity without a clear mandate
FTC doesn’t have a dedicated cybersecurity regulatory mandate. In fact, if you ask FTC officials about it, the common response is “we don’t really do anything about cybersecurity, it’s not in our jurisdiction.” The problem is, several recent cases show this is simply not playing out in the real world:
D-Link: cybersecurity by design, but only after all designs are in play:
In January of this year, the FTC sued D-Link,1 a maker of home Wi-Fi routers and other home networking equipment because their products did not live up to the security design practices that most of the other major industry players had already adopted. However, the FTC hadn’t published such a list beforehand, deciding what was appropriate at the time after D-Link had shipped products around the world. The case is still pending, and unlike two prior cases which were settled out of court (ASUS and TRENDnet), it may lead to jurisprudence on cybersecurity design, marketing, and patching which will shape the FTC’s relationship with the IoT industry.
Wyndham: Systems management and best practices:
In the first major case related to regulatory oversight of cybersecurity issues, the FTC asserted that not having the same controls in place as other companies was an unfair trade practice on Wyndham’s part.2 The FTC found that Wyndham had not done enough to secure its systems, which had been breached three times over two years. The case involved regulatory action in response to the company not meeting a standard of security held by many of its competitors. The FTC asserted that proving actual injury to consumers was not necessary to enforce cybersecurity regulatory actions. Wyndham lost the case in appeal. The rest of us learned a painful lesson in systems management and industry best practices.
Yahoo: Waiting for the other shoe to drop:
The SEC is already looking at Yahoo (now part of Verizon) over the breach of over 1 billion email accounts, which is the largest data breach in history. The SEC is looking primarily at the time that Yahoo took to report the breach, but the FTC has also been paying attention to this case. It is not inconceivable that the FTC takes up a similar tack to its D-Link case, especially given allegations that Yahoo intentionally avoided certain email security protocols in place among its major competitors. The size of the case may also be enticing to the FTC: it is not uncommon for regulatory bodies like the FTC to try to deter smaller companies by winning high-dollar suits against larger companies.
Strong-arm into the healthcare sector
It doesn’t stop there. How exactly does the FTC make its way into the healthcare sector? According to their policies – their efforts raise consumer awareness and help prevent consumer harm. FTC’s mandate is overly broad and extends to healthcare businesses that are also covered under HIPPA. This includes healthcare providers, health plans, business associates, etc. The FTC works with the Department of Health and Human Services on the privacy and security side of protecting health information. However, on the other side, products that are recommended by physicians or HIPPA-covered businesses are also within the reach of the FTC. This reach extends to consumers use of health apps, devices and products that non-HIPPA entities develop. This is also going to expand into the biomedical devices industry as cybersecurity issues continue to increase in this realm. In so little words, this is a way of extending regulation not only to the healthcare sector but also to anything that is touched by one practicing in the healthcare sector.
Aside from Wyndam, another healthcare case shows the other side of enforcement action. Wyndam successfully solidified FTC’s authority to police cyber-breaches but in FTC v. LabMD the courts scrutinized the standard for “reasonable security” employed by the FTC.
In FTC v. LabMD, LabMD3 is a privately held company that operated as a medical services provider, performing tests for patients at the request of doctors. As part of its business, LabMD stored electronic billing records and medical records on an office computer. In May 2008, a third party contacted LabMD and told LabMD that some of these files was available through LimeWire, a peer-to peer sharing system. After being notified, LabMD determined that LimeWire had been installed on its billing computer, which LabMD promptly removed. LabMD also searched and monitored LimeWire for several months for any evidence of the leaked files but found no evidence beyond the third party. Nevertheless, the FTC brought an enforcement action against LabMD under the unfairness prong of Article 5. The allegations brought forth by the FTC were that LabMD did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks; and did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information.
But departing from Wyndam’s reasoning, this time the court found there was no evidence that any consumer suffered any actual harm from alleged failure to employ “reasonable” data security. Also, there was no also evidence of a high likelihood of future harm by LabMD.
The victory in this case was the push back from the Court. In its oral arguments, the court criticized the FTC Standard of “reasonable security” and asked the FTC’s counsel why the commission doesn’t engage in rulemaking to define reasonable security. In response, the FTC counsel said, “Rulemaking isn’t effective and there are too many variables, as standards are always changing.” The court, however, pushed back further and asked how companies are supposed to know “that they’re violating what they’re violating,” if there are no rules. The FTC counsel said that it is “entitled to proceed in a case-by-case” manner and that companies have “duty to act reasonably under the circumstances.”
Judge Gerald Bard Tjoflat responded that such a standard is “as nebulous as you can get” and this was the turning point. However, the FTC counsel said that data security threats and new technologies are constantly changing, and therefore, it makes more sense to say “you have to act reasonably” than to have specific rules. The court criticized this approach, saying that this unclear standard of “reasonableness,” determined by the commissioners, isn’t “good public policy.”
There you have it folks – as more frivolous and ambiguous cases go up the chain in the legal system we can only rely on the rationale soundness by the judges who push against this “outer limits” regulation.
What will we see next?
The role of shadow regulator may change under the Trump Administration. Early in his presidency, Trump named Maureen Ohlhausen as acting chairwoman of the FTC. In the past, she’s been more hesitant to pursue cases where actual harm wasn’t immediately available. In fact, she voted against pursuing the D-Link case. This may open opportunities to engage the FTC and help build mutual understanding of businesses perspective in cybersecurity and how to best regulate these issues. What policies can industry support to help bring these shadow regulations into the light?
- FTC should make cyber decisions in an open and consultative process: This will help them understand what industry is doing and where best practices are emerging. They can then highlight these beforehand, so industry knows what the FTC is thinking. This will require constant revision, due to the constant evolution of the cybersecurity landscape.
- FTC should defer to NIST: Adherence to the NIST cybersecurity framework and other existing standards should be a guarantor of safe harbor and favorable regulatory positions because it means the industry actor is actively trying to adhere to some kind of cybersecurity system. As the Cyber Security Framework becomes ensconced in ISO standards, this will be an easier call for FTC to make.
- FTC should guide state-level regulations: A dialogue that seeks to harmonize state-level laws and regulations would avoid high costs of compliance and a patchwork of regulations that may prove too onerous for small and midsize companies in particular.
What to do?
Regulatory action from the FTC along cybersecurity lines can be devastating for large companies, but potentially life-or-death for smaller ones that make up major parts of the automotive sector supply chain. So, what is a business to do? Here are a few steps that all businesses should take now to avoid getting in the hot seat with the FTC.
- Look around: The first and obvious element is to look at what other companies in your space are doing. Practices are constantly evolving, and it’s important to understand what other companies are doing, and what may be later construed as “industry standard” or “normal practice.” This should be followed up by action to ensure your business is compliant with these practices.
- Talk to FTC: Given the post-facto nature of the regulatory decisions, it may be possible to identify and fix problems and alert FTC before they find them for you. This can open some safe harbor opportunities and reduce liabilities in the event of a breach or vulnerability.
- Participate in forums and engage: FTC officials are available to chat and want to understand cybersecurity issues facing businesses. They attend the Black Hat conference, after all! So, engaging the FTC can help them understand cybersecurity issues from industry’s point of view before a regulatory enforcement is on the horizon. Working through industry groups and in partnership with policy experts can give a company an edge in leading the discussion and setting the de facto standards.
1 FTC v. D-Link Sys., Inc. , 2017 BL 330844, N.D. Cal., No. 17-cv-00039, motion to dismiss granted in part 9/19/17
2 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
3 LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17