Judge Gerald Bard Tjoflat responded that such a standard is “as nebulous as you can get” and this was the turning point. However, the FTC counsel said that data security threats and new technologies are constantly changing, and therefore, it makes more sense to say “you have to act reasonably” than to have specific rules. The court criticized this approach, saying that this unclear standard of “reasonableness,” determined by the commissioners, isn’t “good public policy.”
There you have it folks – as more frivolous and ambiguous cases go up the chain in the legal system we can only rely on the rationale soundness by the judges who push against this “outer limits” regulation.
What will we see next?
The role of shadow regulator may change under the Trump Administration. Early in his presidency, Trump named Maureen Ohlhausen as acting chairwoman of the FTC. In the past, she’s been more hesitant to pursue cases where actual harm wasn’t immediately available. In fact, she voted against pursuing the D-Link case. This may open opportunities to engage the FTC and help build mutual understanding of businesses perspective in cybersecurity and how to best regulate these issues. What policies can industry support to help bring these shadow regulations into the light?
- FTC should make cyber decisions in an open and consultative process: This will help them understand what industry is doing and where best practices are emerging. They can then highlight these beforehand, so industry knows what the FTC is thinking. This will require constant revision, due to the constant evolution of the cybersecurity landscape.
- FTC should defer to NIST: Adherence to the NIST cybersecurity framework and other existing standards should be a guarantor of safe harbor and favorable regulatory positions because it means the industry actor is actively trying to adhere to some kind of cybersecurity system. As the Cyber Security Framework becomes ensconced in ISO standards, this will be an easier call for FTC to make.
- FTC should guide state-level regulations: A dialogue that seeks to harmonize state-level laws and regulations would avoid high costs of compliance and a patchwork of regulations that may prove too onerous for small and midsize companies in particular.
What to do?
Regulatory action from the FTC along cybersecurity lines can be devastating for large companies, but potentially life-or-death for smaller ones that make up major parts of the automotive sector supply chain. So, what is a business to do? Here are a few steps that all businesses should take now to avoid getting in the hot seat with the FTC.
- Look around: The first and obvious element is to look at what other companies in your space are doing. Practices are constantly evolving, and it’s important to understand what other companies are doing, and what may be later construed as “industry standard” or “normal practice.” This should be followed up by action to ensure your business is compliant with these practices.
- Talk to FTC: Given the post-facto nature of the regulatory decisions, it may be possible to identify and fix problems and alert FTC before they find them for you. This can open some safe harbor opportunities and reduce liabilities in the event of a breach or vulnerability.
- Participate in forums and engage: FTC officials are available to chat and want to understand cybersecurity issues facing businesses. They attend the Black Hat conference, after all! So, engaging the FTC can help them understand cybersecurity issues from industry’s point of view before a regulatory enforcement is on the horizon. Working through industry groups and in partnership with policy experts can give a company an edge in leading the discussion and setting the de facto standards.
1 FTC v. D-Link Sys., Inc. , 2017 BL 330844, N.D. Cal., No. 17-cv-00039, motion to dismiss granted in part 9/19/17
2 FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).
3 LabMD, Inc. v. FTC , 11th Cir., No. 16-16270, oral argument 6/21/17