Companies trying to navigate the largely uncharted waters of cybersecurity are finding the going difficult. They face a degree of uncertainty over decisions related to protecting themselves from data breaches, and even greater doubt about how best to respond to breaches that do occur.
A year ago the Commerce Department’s National Institute of Standards and Technology (NIST) released a Framework for Improving Critical Infrastructure Cybersecurity. Although it received mixed reviews, the framework provides a structure that offers organizations a methodology to assess and improve their capabilities. In addition, there are industry groups seeking to impose acceptable standards, and a growing insurance market that over time will impact policy and procedures. But at the moment, the guidance that does exist is very much in flux.
On the federal government side, the Federal Trade Commission (FTC) has carved out a leadership role in regulating data security practices through its enforcement actions. Generally, the companies subject to those enforcement actions have settled, and the process has offered some insight into data security practices that are being seen by the FTC as falling short.
However, the FTC has not set forth clear guidance on what constitutes acceptable security practices, and one subject of an enforcement action—Wyndham Hotels & Resorts LLC—has challenged the FTC’s authority to regulate data security practices. The U.S. Court of Appeals for the Third Circuit will rule on the matter, and its decision will have significant and far reaching implications. Ironically, if the court upholds Wyndham’s challenge, businesses will have even less certain guideposts to follow, although one could anticipate that both Congress and individual states might move to provide further regulatory powers relatively quickly.
The courts will provide yet another potential source of future standards. A wave of data breach litigation is sweeping across the country, and more class action suits are certain to be filed as breaches continue to happen.
Among the most watched suits at this moment are those arising out of the major data breach at Target. The initial lawsuits were filed soon after the nature of the breach became public, and there was much speculation that the suits would be dismissed based on then existing precedents. A year later it is apparent that the suits will proceed and that the federal judge in Minnesota who is hearing the cases is taking a hard look at Target’s responsibilities to protect data. In refusing to dismiss the suits the presiding judge seems to have established that banks have a right to go after businesses that suffer breaches if they can establish negligence on the part of the affected business.
Whatever the court decides in this case will ripple across the cyber landscape. Some of the issues presented are complex, but at its core, what is being decided is whether Target acted reasonably both in protecting data and in responding to the breach.
The issue of what is reasonable to do to safeguard data and respond to incidents is at the heart of the standard setting process. We are still in the early stages of a messy undertaking that will move in fits and starts toward a time at which standards for acceptable behavior will be generally agreed upon. Until that time, companies are well served to benchmark themselves against their peers, and engage in a process of continuous assessment and improvement in their cyber defenses and response mechanisms.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
February 10, 2015