De-mystifying NIST, Part II: The NIST Cybersecurity Framework Core and the Federal Trade Commission’s Focus on “Reasonableness”

In our first post in this series, we discussed the origins of the NIST Cybersecurity Framework and gave our assessment that the Framework would serve not only as a helpful tool for companies looking for support in securing their networks, but also as a guidepost for best practices in the realm of data security.  Recent guidance published by the FTC gives credence to this assessment.  In a blog post made available to the public just last week (available here), the FTC discussed the Framework and noted favorably that its “functions signify the key elements of effective cybersecurity.” This post discusses the importance of the FTC’s insight and identifies the Framework’s “Core” components.

The FTC’s thoughts on the Framework are valuable and particularly noteworthy because of the way that the FTC has been aggressively regulating the use, storage and protection of consumer data in the absence of any express statutory or regulatory guidelines pertaining to data security.  Rather, the FTC has consistently interpreted Section 5(a) of the FTC Act -- which generally prohibits “unfair” or “deceptive” business practices -- broadly to impose obligations upon companies in the data security context.  

As made clear in each of the FTC’s roughly 60 reported data security actions and settlements, and as reiterated by the FTC in its recent post, “the touchstone of the FTC’s approach to data security has been reasonableness.”  Given this, businesses find themselves in the unenviable position of trying to figure out exactly what security measures will be “reasonable” in the eyes of the FTC.  In this regard, the FTC has broadly referred companies to its speeches, congressional testimony, articles, blog entries, Commission materials and FTC settlements in the data security area, but has otherwise left it up to the businesses themselves to mine these various resources for nuggets of practical guidance.   

This is where the Framework comes in.  To assist businesses, the “Core” of the Framework describes how they should develop the ability to identify cybersecurity risks and vulnerabilities; protect critical infrastructure assets; detect the occurrence of a cyber event; respond to a detected event; and recover from a cyber event.  Each Core component, as described in the Framework, is set forth below:

  • Identify.  Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect.  Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Detect.  Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond.  Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Recover.  Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

The Framework’s Core -- Identify, Protect, Detect, Respond and Recover -- helps provide valuable insight into the FTC’s focus on reasonableness.  In fact, the FTC views the Framework as being “fully consistent” with its own enforcement approach under the FTC Act because, in the FTC’s words, “the types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determining whether a company’s data security and its processes are reasonable.” 

Admittedly, the Framework is not a checklist and does not contain substantive security mandates.   Nonetheless, the fact that the FTC has signaled its approval of the Framework and expressly aligned its concerns with the Framework Core means that companies thus far reluctant to the implement the Framework would be well-served by giving it another look. 

HSE’s F. Paul Greene to speak about “Managing Cybe...
Third Circuit Upholds Pennsylvania’s Economic Loss...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.