In our first post in this series, we discussed the origins of the NIST Cybersecurity Framework and gave our assessment that the Framework would serve not only as a helpful tool for companies looking for support in securing their networks, but also as a guidepost for best practices in the realm of data security. Recent guidance published by the FTC gives credence to this assessment. In a blog post made available to the public just last week (available here), the FTC discussed the Framework and noted favorably that its “functions signify the key elements of effective cybersecurity.” This post discusses the importance of the FTC’s insight and identifies the Framework’s “Core” components.
The FTC’s thoughts on the Framework are valuable and particularly noteworthy because of the way that the FTC has been aggressively regulating the use, storage and protection of consumer data in the absence of any express statutory or regulatory guidelines pertaining to data security. Rather, the FTC has consistently interpreted Section 5(a) of the FTC Act -- which generally prohibits “unfair” or “deceptive” business practices -- broadly to impose obligations upon companies in the data security context.
As made clear in each of the FTC’s roughly 60 reported data security actions and settlements, and as reiterated by the FTC in its recent post, “the touchstone of the FTC’s approach to data security has been reasonableness.” Given this, businesses find themselves in the unenviable position of trying to figure out exactly what security measures will be “reasonable” in the eyes of the FTC. In this regard, the FTC has broadly referred companies to its speeches, congressional testimony, articles, blog entries, Commission materials and FTC settlements in the data security area, but has otherwise left it up to the businesses themselves to mine these various resources for nuggets of practical guidance.
This is where the Framework comes in. To assist businesses, the “Core” of the Framework describes how they should develop the ability to identify cybersecurity risks and vulnerabilities; protect critical infrastructure assets; detect the occurrence of a cyber event; respond to a detected event; and recover from a cyber event. Each Core component, as described in the Framework, is set forth below:
- Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect. Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The Framework’s Core -- Identify, Protect, Detect, Respond and Recover -- helps provide valuable insight into the FTC’s focus on reasonableness. In fact, the FTC views the Framework as being “fully consistent” with its own enforcement approach under the FTC Act because, in the FTC’s words, “the types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determining whether a company’s data security and its processes are reasonable.”
Admittedly, the Framework is not a checklist and does not contain substantive security mandates. Nonetheless, the fact that the FTC has signaled its approval of the Framework and expressly aligned its concerns with the Framework Core means that companies thus far reluctant to the implement the Framework would be well-served by giving it another look.