Companies are facing a predicament when charged with federal regulatory violations over alleged failures to establish cybersecurity policies and/or protect personally identifiable information (PII).
When negotiations are underway, often two scenarios unfold: A not-so-transparent game of “cry uncle,” in which government investigators strong-arm companies into settling data breach cases rather than rack up already mounting legal fees and further brand damage or company value. Or, agency adjudication precedes a defendant strategy of seeking vindication in the federal court system because any kind of agency settlement will still leave some doubt that some wrongdoing had occurred and harm a company's future business dealings.
Nonetheless, there's no doubt the Federal Trade Commission (FTC), the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC) will attempt to build on these 2015 publicly announced settlements:
- LifeLock's agreement to pay $100 million to consumers to settle FTC charges it violated a 2010 order
- AT&T agreeing to pay an FFC fine of $25 million fine over data breaches at three call centers
- Cox Communications agreeing to pay an FCC fine of $595,000 for failing to protect private customer information
- Investment adviser R.T. Jones agreeing to an $75,000 SEC penalty for failing to establish the required cybersecurity policies and procedures in advance of a breach that compromised the PII of approximately 100,000 individuals, including thousands of the firm's clients
Sometimes money isn't everything, as evidenced by the injunctive settlement reached last month between the FTC and Wyndham Worldwide, which agreed to 20 years of annual security audits, and ensure compliance with a formal risk assessment process.
The FTC did not return our enquiry for comment, but an FCC spokesperson stated in an email: “Settlements make abundantly clear the Commission's expectation that companies live up to their privacy obligations.” Such actions provide guidance to telecom and cable companies to take proactive steps to protect customers' PII and CPNI (customer proprietary network information) about consumers' telephone calls. The FCC spokesperson added that the FCC and FTC have a longstanding collaborative relationship on areas of overlapping jurisdiction, such as data security.
Risk management decision?
So are other organizations learning from these public examples, examining internally their IT security practices and fixing any infrastructural vulnerabilities by spending huge expenditures on the latest detection, monitoring and firewall technologies, as well as training and education programs? Or are organizations willing to take their chances that they won't be breached or get caught in non-compliance as a risk management decision?
“That's an absolute realistic characterization of what's going on,” says Marc Roth, a New York-based partner with the firm Manatt, Phelps & Phillips, who worked at the FTC from 1991 until 1996. “At that time, data breaches didn't exist,” he says. His firm currently advises corporations whose data has been breached, but none before the FTC regarding data security matters.
“It's the C-level decision-making which ultimately has to determine how much money, how much resources we're going to put toward data security,” he says. “If we don't, what are the risks? Given the recent cases and what's been going on, companies are foolish not to invest heavily in IT infrastructure.”
Financial and health care companies are heavily regulated, so they might be more attuned to compliance requirements. Still, the LifeLock and Wyndham settlements should “absolutely” be a wakeup call to the private sector, he added.
“Organizations today are changing their behavior, without question,” says J. Trevor Hughes, president and CEO of the International Association of Privacy Professionals, a Portsmouth, N.H. trade group for information privacy professionals, with more than 20,000 members in 83 countries. “I'm confident we have better information security today in part because of data breach notification laws,” he says, noting California starting a trend in 2003 with SB1386, a version of which is now in 47 states.
Today's “inevitability” of data breaches results in “much better risk management practices,” such as implementation of preparedness and response plans and cybersecurity insurance, Hughes adds.
A law of diminishing returns comes into play in regard to information security investments. “There's no regulator out there that expects you to run the company into bankruptcy, or eat up all profits in order to provide one iota more of information security,” Hughes says. These overseers expect companies to adhere to industry benchmarks and expectations, correct known flaws, and invest proactively and appropriately against risks, he adds.
But Robert Rodriguez (left), chairman of the Security Innovation Network (SINET), a San Francisco-based firm that advances innovation to enable global collaboration between the public and private sectors to defeat cybersecurity threats, is not convinced the system is working. “Until someone is jailed or fined so severely that it's going to hurt them, there's no teeth to the regulations.”
Jonathan Sander, vice president at Los Angeles-based identity management firm Lieberman Software, agrees with Rodriguez that some might view the fines as a gentle slap of the wrist. “When the regulatory agencies trumpet record-breaking fines that are less than three percent of organizations' advertising budget – like the $25 million fine levied against AT&T – it's easy to imagine that organizations aren't looking at these fines as motivations,” Sander said.
Adam Meyer, chief security strategist for Sterling, Va.-based SurfWatch Labs, which provides monitoring and detection technology, said companies caught offguard when either breached or fined for non-compliance exhibit an organizational culture problem. “There certainly seems to be no shortage of organizations who prefer to roll the dice with regards to their cyber risk,” Meyer says. “Yet any organization that does that is gambling in a high stakes game.”
In today's world of non-stop cyberattacks, companies with good cyber hygiene practices are having a much easier time defending themselves because they are able to easily produce evidence that they were performing due diligence, Meyer points out.
Being prepared makes sense because everyone is essentially at risk, believes Steve Conrad (left), managing director of MediaPro, a Bothell, Wash.-based company that specializes in security awareness. “It's unfortunate, but it often takes a federal or state settlement to get [companies] to pay attention to the role the human element plays in data protection,” Conrad says, citing social engineering triggers to breaches.
LabMD: No regrets
Some companies have no other choice than to fight it out if you ask Mike Daugherty, CEO of LabMD, an Atlanta-based clinical and anatomic medical laboratory. His cancer detection laboratory closed in January 2014 after key employees left in the wake of an FTC determination that the “very profitable” privately held company didn't reasonably protect patient information. At its peak, LabMD had annual sales volume of $10 million, according to Daugherty, who has had his legal defense provided pro bono, allowing him to take on the FTC.
LabMD was alerted by Pittsburgh-based security firm Tiversa that PII of 9,000 of its patients was found on a file-sharing site. After Daugherty rebuffed Tiversa's request to retain its services, he later learned that the information was shared with the FTC and formed the basis of its lawsuit against LabMD.
A House Subcommittee on Oversight and Government Reform report released April 2015, based on a hearing in January, largely sided with Daugherty. Then in November 2015 an FTC administrative law judge dismissed the agency's case, concluding it did not prove LabMD's practices caused or were likely to cause substantial consumer injury.
Knowing what he knows now, Daugherty said he would have done the same thing all over again, even though it cost him his company and livelihood. Although the congressional investigation and administrative judge “caught the FTC so redhanded,” Daugherty expects LabMD will lose the next round at the FTC.
“I'm shedding light on their corruption,” he said. “The reason I fought is not because I'm some principled ideologue. Surgeons who are my customers are just going to think ‘he signed a consent decree; he must have done something wrong. I can't use a lab that doesn't keep my patients' information safe.' I thought at least I could go down swinging. We're going to get to federal court system, and we're going to kick their ass.”
Daugherty conceeded settling might be a sound business decision for others. “In the world of the administrative court consent decree game, everybody rolls so you never get to court,” Daugherty says. The FTC's position, he says, is ‘if you want to fight with us, it's going to cost years and millions. Your lawyers are going to tell you settle.' Corporation boards and CEOs do it.”
So who's next? Hughes notes there's always “hallway chatter” at security conferences over what's in the pipeline. “The nature of the cases and the names of companies are far less clear. The FTC is appropriately tightlipped,” he says, adding that the cases will continue because identity theft remains the number one consumer complaint to the FTC for five or six years running.
SC Magazine spoke with Michael Valentino, VP marketing and communications, Wyndham Worldwide, regarding the hotel chain's response following a cyberattack.
SC Magazine: Did Wyndham make any changes in your IT security procedures/infrastructure/monitoring, etc. as a result of the FTC investigation? Was the “standard for reasonable payment card security” established by the settlement any different from what Wyndham was doing previously?
Michael Valentino, VP marketing and communications, Wyndham Worldwide: Wyndham instituted significant measures in response to the cyberattacks. Prior to the attacks and for years since, Wyndham has met specific industry standards for safeguarding payment card information, and the Consent Order specifically establishes that compliance with those standards constitutes “reasonable data security.”
As standards for payment card information security have evolved, we have and will continue to devote significant attention and resources to comply with legal requirements and industry standards. We view the settlement as an indication that Wyndham has had reasonable data security over payment card information. We fully comply with PCI standards, which the FTC has acknowledged in the consent order, constitutes reasonable data security over payment card information. In addition, we provide access to training on cybersecurity by third parties to Wyndham-flagged hotels.
The threat of cyberattacks continues to be an ongoing issue for businesses, government and individuals, and we will all need to work together to combat this threat. Protecting consumer information is a top priority for Wyndham.