For years there has been a discussion over whether data breaches and cyber security can eventually be regulated by centralized laws rather than various state and federal laws and regulations. Even in October 2014, President Obama called upon Congress to pass data breach legislation because, “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”
At present, almost two years down the road, we still do not have a single framework regulating cyber security and data breaches. A recent blog post by the Federal Trade Commission (FTC) addresses how its enforcement activities can be coordinated with data breach guidelines created by the Department of Commerce (DOC). However, there is still more work to be done to harmonize state and federal law.
Background On NIST Standards
On February 14, 2014, the DOC’s National Institute of Standards and Technology (NIST) set out “a set of industry standards and best practices to help organizations identify, assess and manage cybersecurity risks.” The DOC created these standards in response to Obama’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”
Specifically, this EO was intended “to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” The NIST Framework did not introduce or create new standards. Rather, it was intended to “leverage and integrate” practices that had already been in use by the NIST and similar organizations in 2014. The Framework provides general practices to approach a cyber security risk, referred to as the “Core,” which is composed of five “functions:” Identify, Protect, Detect, Respond and Recover. Based on these functions, the key elements of effective cybersecurity were summarized in the following manner:
- Identify: helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data and capabilities.
- Protect: helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
- Detect: are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.
- Respond: helps organizations develop effective incident response activities.
- Recover: is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.
Complying with the FTC via the NIST Framework
The FTC “is committed to protecting consumer privacy and promoting data security in the private sector.” Further, the FTC’s interest stems from Section 5 of the FTC Act, which is “the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.” Since 2001, the FTC has settled nearly 60 cases against companies that it believed failed to secure consumers’ personal information. Because of its enforcement in data security, the FTC is constantly asked “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”. FTC responds:
The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.
The FTC provides the following guidance concerning cyber security risks:
The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders. And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.
Cyber Insurance’s Development Without Harmonized Laws and Regulations
While the development of cyber security and data breaches measures may be stunted when there is little or no coordination between the laws and regulations, cyber insurance can continue to grow regardless of the actions of state, local and federal government. Rather than relying on government guidelines, the early stages of development of cyber insurance is supported by insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the proper safeguards are put into place.