For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”

These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.

With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.

Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]

In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]

The CSF can be found here: https://www.nist.gov/cyberframework.

What the CSF Does

The CSF integrates industry standards to help organizations manage their cybersecurity risks. It is a guide consisting of five functions, 23 categories, and 108 subcategories based on industry best practices. The five functions and their purposes are:

  1. Identify – to develop an understanding of the risks
  2. Protect – to describe appropriate safeguards
  3. Detect – to define activities for identifying when an event has occurred
  4. Respond – to include activities to take when an event has been detected
  5. Recover – to implement activities necessary to restore any capabilities

The CSF is intended to provide a common language that allows staff at all levels within an organization to develop a shared understanding of their cybersecurity risks. According to the information technology research company Gartner, 50% of organizations will be using the CSF for their cybersecurity programs by 2020.[6]

How the CSF Applies

In August 2016, a staff member for the FTC wrote an instructive article that cross-referenced the CSF with several FTC cases in which organizations failed to implement industry standards.[7] The author suggested that had these organizations monitored security vulnerabilities, limited access permissions, and contained and communicated about the cyberattacks they experienced based on guidance found in the CSF they may have been in compliance.[8]

With the surging wave of new cybersecurity and privacy regulations, knowing and complying with industry standards is especially relevant. As but one example, the California Consumer Privacy Act will enable consumers to sue businesses that experience a data breach for failing to “implement and maintain reasonable security procedures and practices.”[9]

As a companion to the CSF, NIST has been working on a framework for privacy. On September 6, 2019, a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management was released. NIST will be accepting public comments on this draft through October 24, 2019, and inquiries about becoming an early adopter are being accepted.

[1] https://www.stoelprivacyblog.com/2019/08/articles/privacy/recent-ftc-enforcement-actions/

[2] https://www.lawinsider.com/dictionary/industry-standard (citing various state statutes)

[3] https://www.nist.gov/sites/default/files/documents/2019/09/09/nist_privacy_framework_preliminary_draft.pdf

[4] Id.

[5] https://www.oas.org/en/sms/cicte/docs/OAS-AWS-NIST-Cybersecurity-Framework(CSF)-ENG.pdf

[6] https://www.nist.gov/industry-impacts/cybersecurity

[7] https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc

[8] Id.

[9] https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.15