THE FTC’S AUTHORITY TO REGULATE CYBER SECURITY
A recent federal court pronouncement significantly impacted industry’s obligation to maintain cyber security. Here is what communication service providers need to know.
The Wyndham Hotel Ruling
In FTC v Wyndham Hotel the Third Circuit Court of Appeals ruled that the Federal Trade Commission may enforce against “unfair” cyber security standards, even though the agency hasn’t specified exactly what cyber security standards a company should uphold. Wyndham Hotel suffered three cyber security breaches between 2008 and 2010, causing over $10 million in fraudulent charges on credit cards belonging to thousands of hotel guests. The FTC fined Wyndam for the breach.
The Types of Security Practices Considered Unfair
This outcome may seem strange to communication service providers subject to the jurisdiction of the Federal Communications Commission. The FCC usually adopts detailed standards first and then enforces those standards against non-compliant service providers. By contrast, the FTC uses enforcement proceedings to articulate its requirements.
Although the Court confirmed the FTC’s jurisdiction over cyber security it did not decide whether the particular security practices of Wyndham Hotel were “unfair.” That issue will be addressed in a follow-up proceeding at the district court level. Meanwhile network owners are left to wonder: what cyber security practices does the FTC consider fair?
One way to answer the question is to review the kind of practices the FTC has already penalized. Wyndham Hotel is a good example. The company collected and stored large volumes of credit card information but failed to protect that personal data with firewalls or encryption. It also failed to use common security measures when connecting local computer networks to corporate-level networks. Next, it did not address known security vulnerabilities on servers. In addition, it allowed the use of “default” user names and passwords to access its servers. Finally, it lacked adequate systems to detect unauthorized access to its servers.
The above list of security failings provides general guidance on the FTC’S expectations. Beyond that, network operators should keep current on industry best practices for cyber security. The National Institute of Standards and Technology, a component of the Commerce Department, has issued a “framework” for this purpose. A copy of the NIST Cyber Security Framework is found here: http://www.nist.gov/cyberframework/.
The Special Needs of Cyber Security for Communication Service Providers
Cyber security is especially vital to communication service providers, not only because they handle the personal subscriber data but because they are sometimes required to assist law enforcement agencies with lawful electronic surveillance and the lawful production of subscriber records. A service provider must strictly guard against unauthorized access to the surveillance solution installed in its network. Equally important, when the solution is activated it must intercept only the communications of the suspect named in the court surveillance order and deliver the intercepted data only to the law enforcement agency named in the order.
Likewise, when a communication provider is served with a court order, warrant or subpoena for subscriber records, it should have only a trained, authorized employee access the requested records. The person should collect the targeted data in a manner that prevents unauthorized access and deliver it in a secure manner to the requesting law enforcement agency. No copies of the delivered records should be left available for others to view.
A single security breach by a communication service provider during a criminal investigation may trigger liability from as many as five sources: the FTC; the FCC; the criminal court; a state attorney general; and the harmed subscriber. That gives providers plenty of reasons to make cyber security a top priority.
Cyber Security Risks from Customers of Communication Service Providers
Many communication service providers serve enterprise networks like the one used by Wyndham Hotel. A cyber security breach in the enterprise network could spell trouble for the communication service provider. For example, the FTC could fine the enterprise, and the enterprise could then sue its service provider to recover the cost of the fines. This risk makes it especially important for service providers to prioritize cyber protection. Smart service providers will also advise their enterprise customers on how to protect themselves.