What Constitutes 'Reasonable Protection'?

A Federal Trade Commission lawsuit now before the federal courts, alleging that the Wyndham hotel chain failed to make reasonable efforts to protect consumer information, offers a cautionary tale to all executives. The concern: How do companies decide what constitutes "reasonable protections" of sensitive data -- and how do they know if they're meeting that standard?

The lawsuit promises to bring attention and context to a set of voluntary national cybersecurity guidelines released in February by the National Institute of Standards and Technology (NIST), designed to help executives address those questions, as InformationWeek Government contributing writer William Jackson reports this week.

The case against Wyndham Worldwide and three subsidiaries involves the theft of hundreds of thousands of consumer debit- and credit-card numbers, after hackers allegedly broke into Wyndham's corporate computer system and systems of several individual hotels from 2008 to early 2010. (This theft pales in comparison to the massive breach of Target's point of sale systems late last year, which affected as many as 70 million customers.) The case is as much about whether the Federal Trade Commission has the authority to police Wyndham as it is about the company's security practices.

In her April 7 decision to let the case proceed, US District Judge Esther Salas ruled that the FTC indeed has the power to regulate corporate data-security practices -- and made it clear that executives had better take their companies' data-security precautions more seriously.

But what constitutes reasonable protections and the role the new federal cybersecurity framework might play? Although protecting consumer data and the nation's critical-infrastructure facilities might seem to be two different endeavors, they share a common need to assess and protect against risks.

Back in December 2008, around the time hackers were finding their way into Wyndham's computer systems, former Defense Information Systems Agency director Harry D. Raduege and a federal commission filled with security experts delivered a report to President Obama that laid bare how vulnerable the nation's privately held critical-infrastructure systems were to cyberattacks.

Some industries were deemed better prepared than others. Companies in charge of the nation's energy and water supplies, those operating communications and transportation networks, and those in a dozen other industries, including healthcare and banking, were said to be ill-prepared to protect their operations from increasingly sophisticated cyber-attacks. The risk of economic catastrophe loomed large. Moreover, there existed no clear baseline across all those industries to establish a set of protections.

For better or worse, Congress has been unable to agree on a legislative remedy, leading President Obama to issue an executive order last May calling for industry leaders and NIST to hammer out a set of cybersecurity best-practices, resulting in the framework NIST released for infrastructure operators in February.

The guidelines give industry executives something their counterparts at Wyndham probably wish they had: a template for assessing their security posture and a set of standardized activities to follow to protect against and respond to cybersecurity threats.

As the Target data breach illustrates, even having the most sophisticated monitoring tools and measures is no guarantee that attackers won't get in. However, because the NIST guidelines represent the recommendations of hundreds of public- and private-sector organizations and companies, rather than government, the framework establishes what reasonable cybersecurity practices look like for a variety of industries.

De facto standard
Which brings us back once again to the FTC case. Legal experts -- including Gerald Ferguson, a data protection expert at law firm BakerHostetler, and former White House cybersecurity adviser Richard Clarke -- maintain that the NIST cybersecurity framework will become a de facto standard in cybersecurity-related lawsuits in determining whether companies took sufficient steps to protect their operations from attacks.

Industry executives must also expect that FTC attorneys will study every word of the framework. Don't miss the fact that FTC chairwoman Edith Ramirez requested legislation on Dec. 12 that would make the FTC's current practice of policing data breaches one of its official duties. While the FTC has the authority to police trade practices considered to be "unfair" and "deceptive" to consumers, its authority to police data breaches is less explicit.

That hasn't stopped the FTC from asserting itself. For example, the FTC and the Department of Justice issued a policy statement on April 10 to clarify that companies can share cybersecurity threat information with competitors without violating antitrust law. Such info sharing is seen as a critical step to improve cybersecurity, but companies have been reluctant to do so for fear of the trustbusters.

The FTC and DOJ guidance not only provides legal cover, but it also encourages companies to use the cybersecurity framework.

This isn't to say that companies have been sharing no threat information; a number of sectors have established groups for that purpose. For instance, amid denial-of-service attacks on the websites of leading US banks over the last few years, banks formed the Financial Services Information Sharing and Analysis Center to swap relevant information with one another and with the federal government. Nonprofit organizations such as Boston's Advanced Cyber Security Center, the Bay Area Security Council, and ChicagoFirst have brought together companies across industries in major metropolitan areas.

No one, including those who helped craft the federal cybersecurity framework, thinks its guidelines will address every security issue that US companies face. But they're starting to address the question every CEO must answer sooner or later: What do reasonable cybersecurity protections look like and is my organization adhering to them?