September 9, 2016

FTC Cybersecurity Risk Management Guidelines – Better Data Protection Can Equal Reduced Chance of Enforcement Actions

Written By

Since the 9/11 attacks, the National Institute of Standards and Technology (NIST) has worked to help government and businesses improve critical technology infrastructure. The NIST Framework for Improving Critical Infrastructure Cybersecurity, released in 2014, outlines resources and processes to help prevent attacks and lower the risks to both organizations and consumers.

On August 31, 2016, the FTC (Federal Trade Commission), which includes a focus on data security in the private sector through civil law enforcement and education among its duties, discussed how the NIST Cybersecurity Framework (discussed in my 2014 article) relates to the FTC’s mission and enforcement actions.

Without going so far as stating that compliance with the Framework would be compliance with the FTC requirements, the FTC did state that compliance with the processes outlined in the Framework would have resulted in better data protection in many of the FTC enforcement actions, implying that the result would have been no enforcement action or less penalties.

Perceived lapses that the FTC has challenged through law enforcement actions often correspond to the Framework’s core functions. The core functions of the Framework and a brief description of some FTC challenges are set out below:

The bottom line is that doing the work to follow the Framework model can lower a company’s risk. Even if a data security incident occurs, simply going through the process of developing and implementing an appropriate plan may prevent some of the liability and possible penalties. As a bonus, the practices may prevent some breaches from occurring at all.