If someone had asked Jay Leek two years ago if advanced threat detection should be part of every institution’s core security stack, he would’ve replied that it’s “nice to have, but it only becomes core in more mature programs.” But today, the chief information security officer at The Blackstone Group in New York is taking a new look at what’s considered reasonable care in protecting information.
“Today, I would say advanced threat detection capability is foundationally part of your core stack – it’s one of the first things you do,” because of the ever-changing threat landscape, Leek says.
Defining what is reasonable care when it comes to information and systems security is one of many questions on IT leaders’ minds after the Third U.S. Federal Circuit Court ruled in August that the Federal Trade Commission can sue organizations that have poor IT security practices, especially companies that have had more than one security breach that compromised customer data.
[ ALSO ON CSO: Court: FTC can take action on corporate data breaches ]
The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing $10.6 million in loss due to fraud. The court said that companies must exercise reasonable care in securing their systems.
The FTC’s power to sue for lax security is not necessarily new, and in fact dozens of companies have been held accountable by the commission in recent years, but they have quietly settled out of court by signing consent decrees that promise to clean up their act, says Michael R. Overly, a partner and intellectual property lawyer focusing on technology at Foley & Lardner LLP in Los Angeles. Wyndam was the first organization in almost a decade to challenge the FTC in court and reaffirm its power, he adds.
“This new attention [to the FTC’s power] is good because companies need to understand that it’s not about ‘now we need to fix things because we’ve been hacked,’ or they’re simply suffering from some adverse publicity,“ he says. “My hope is that this points out to businesses that they need to be more proactive.”
In 2006, the FTC imposed a $10 million fine on data aggregator ChoicePoint, the largest civil penalty ever levied at the time by the agency, for the highly publicized security breach that the company had disclosed a year earlier. The FTC charged that ChoicePoint’s security and record-handling procedures violated consumers' privacy rights. The settlement was also the first in which the FTC had fined a company in connection with a security breach.
Since then, the FTC’s goal has been to help correct and not necessarily punish companies for lax security “unless it’s egregious,” Overly says, but that doesn’t mean security teams can relax.
[ ALSO ON CSO: 12 companies that the FTC has gone after for lax security ]
Security leaders and legal experts offer four important takeaways from this latest ruling.
1. CSOs must evolve with the changing definition of ‘reasonable care’
“You’ve definitely got to stay on top of threats and think about what controls and capabilities that you need to deploy (including running programs that have continuous improvement) and really keep close tabs on the current threat landscape,” Leek says.
Blackstone has created its own security stack for the 100 companies in its portfolio, he says. “It’s a risk-based programmatic approach to developing an information risk and security program, with a methodology that they’re able to refer to and follow.”
About a dozen Blackstone companies began implementing the stack in mid-2014, but it was officially launched across its entire portfolio in May. “It’s pretty new, and it’s by no means perfect, but we’re trying to give some good guidance on how to do things,” Leek says.
Perfection is not the requirement of the FTC, Overly says. Rather, companies are required to do what is reasonable and appropriate. “If a company has never changed the default password in their routers or never required employees to change passwords, for example -- those easy, fundamental things that companies should be doing -- that’s when the liability is going to come in,” he adds. “It sounds silly, but lots of companies do just that.”
2. Some industries still must define security standards
While some industries have their own standards of security through regulatory and compliance requirements, such as HIPAA, Gramm-Leach-Bliley or Sarbanes-Oxley, other sectors are just starting to define their own industry information security standards, which could help define reasonable care in the case of an FTC suit.
In July, the automotive industry, led by the Alliance of Automobile Manufacturers and the Association of Global Automakers, announced a new intelligence sharing and analysis center that will begin disseminating and exchanging cyber threat information later this year. Organizers say the ISAC will provide a central hub for cyber threat information and analysis, as well as bring insights on the current threat landscape.
“While they have a lot of work to do, they are getting ahead of it,” says Sedar Labarre, vice president at Booz Allen Hamilton and a leader in its commercial business, with a focus on cybersecurity. ISAC is just the tip the iceberg, he says. “By no means does it replace what needs to be done internally in each of these companies,” Labarre says. Complicating matters, automakers can’t find enough workers experienced in both cybersecurity and automotive technology, he explains. “They’re working to figure out how do we train and get people in the industry to build those internal capabilities.”
3. Keep closer tabs on third-party contractors’ security practices
A third of all security breaches suffered by retailers were linked back to compromises via third-party vendors, according to BitSight Technologies.“You need to be more careful about your third-party agreements and address information security with those third parties,” Overly says.
Target told reporters in 2014 that the initial intrusion into its systems that led to a massive data breach was traced back to network credentials that were stolen from a third-party vendor, a refrigeration, heating and cooling subcontractor that had worked at several Target locations. Home Depot, CVS and Costco have also pointed to third-party vendors as the culprits in their data breaches.
4. The buck stops with executives to increase security budgets
One silver lining from the ruling might be that security leaders finally have the leverage they need to beef up budgets for security programs.
In higher education, for instance, IT departments are always fighting for a portion of the budget for security, but it’s hard to convince the board that security directly benefits its core missions of education and research, says Quinn Shamblin, former CISO at Boston University.
“We’re able to make a much stronger connection between the value of security and core missions than we were a couple years ago because millions of dollars of research is being stolen every year due to poor security practices,” Shamblin says. The FTC ruling puts more responsibility on executives and board members to improve security, through bigger budgets or staffing, and to prevent breaches.
“By making organization and the actual strategic and financial leaders of those organizations directly responsible for ensuring security practices – you have a better chance of making sure that risk is being talked about around the conference room table,” Shamblin says.
While the FTC ruling’s bark may turn out to be worse than its bite, it does serve as a reminder that companies must keep up with the changing threat landscape.
“Information security has changed a lot, even in the last two years,” Overly says. “Companies who are managing by waiting for the next disaster are going to find themselves to be the people the FTC will be talking to.”