3 February 2020

A New Decade and New Cybersecurity Orders at the FTC

By Randy Milch, Sam Bieler

The Federal Trade Commission (FTC), America’s de facto consumer cybersecurity regulator, is welcoming the 2020s with a shift in its approach to cybersecurity. On Jan. 6, Andrew Smith, the director of the Bureau of Consumer Protection, announced via blog post that in the previous year the commission had “made three major changes” to its “orders in data security cases” to “improve data security practices and provide greater deterrence.” But Smith’s post ignores a significant shift in the FTC’s 2019 cybersecurity orders: the disappearance of the word “reasonable.” This unmentioned shift put the FTC’s new orders at odds with its statutory and regulatory authorities.

Smith acknowledges that the FTC’s cybersecurity orders have long required companies “to implement a comprehensive information security program subject to a biennial outside assessment.” Smith says that the 2019 orders have been improved by requiring “more specific” safeguards as part of the data security program, “require[ing] even more rigor” in the third party assessment, and obligating the settling respondent to present to its board or “governing body” the written data security program and to have its senior officers annually certify compliance to the FTC.


For nearly two decades, the FTC has used its power to police “unfair ... acts or practices” to mandate “reasonable” cybersecurity. But reasonableness quietly disappeared from the 2019 cybersecurity order seven as the commission’s governing statutes, regulations, complaints and public statements rely on the term.

Smith says that the FTC was “mindful” of the LabMD defeat in making the 2019 changes. LabMD—the rare FTC cybersecurity case actually reviewed by a court of appeals—saw the FTC’s order vacated and its litigating approach found not “substantially justified” in a subsequent award of attorneys fees to LabMD. Smith doesn’t mention the excision of “reasonableness,” and refusing to publicly grapple with such an important change in practice is not the foundation for an effective cybersecurity regime. Instead, the FTC should take the new decade as an opportunity to launch a cybersecurity regime built on clear, judicially administrable orders and transparent responsiveness to public feedback on its cybersecurity program.

The FTC inaugurated its reasonableness regime in its 2002 action against Microsoft and its Passport and Passport Wallet services. The Microsoft complaint alleged that, despite representations to the contrary, Microsoft failed to employ “sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information” (emphasis added) in connection with Passport services.

The ensuing Decision and Order (D&O), which implemented the settlement with Microsoft, orders the company both to “not misrepresent” its security practices and to “establish and maintain a comprehensive information security program in writing that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers” (emphasis added).

In this D&O, the commission implied, but did not explicitly state, that a “reasonably designed” program is one that “contain[s] administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers ….” Moreover, the program must have a “designated employee” in charge of the program, “identify internal and external” security risks through an assessment process, “design and implement” safeguards to control the risks identified in the risk assessment and test and monitor those safeguards, and “evaluate and adjust” the program in light of the required testing and monitoring. The D&O also required Microsoft “within one year, and on a biannual basis thereafter[,]” to obtain an assessment of its program from a “qualified, objective, independent third-party professional, using procedures and standards generally accepted in the profession.”

Prior to 2019, the specifics of the “reasonably designed” program evolved only in certain small ways. For instance, in its 2007 Guidance Software D&O, the commission added a fifth requirement to the initial list of four: companies must demonstrate the “development and use of reasonable steps” to retain and monitor service providers “capable of appropriately safeguarding personal information.” But this change simply brought the commission’s concept of the reasonably designed information security program in line with the “safeguard” requirements the FTC set for the financial industry in 2003, an industry in which the Gramm-Leach-Bliley Act gave the commission the authority to make cybersecurity rules.

There have been other minor variations in the D&O reasonableness requirements. For instance, the five Guidance Software obligations have at times been subdivided into six, seven or eight items. In its 2018 revised D&O concerning Uber, instead of demanding that Uber implement an information security program, the commission required the company to institute a “comprehensive privacy program reasonably designed to ... protect the privacy and confidentiality of Personal Information.” In Uber, the five Guidance Software requirements were expanded slightly to require consideration of “secure software design, development, and testing, including access key and secret key management and secure cloud storage [and] ... review, assessment, and response to third-party security vulnerability reports, including through a ‘bug bounty’ or similar program.”

Nonetheless, from Microsoft in 2002 to Uber in 2018, the fundamental pattern remained the same. The FTC’s complaints cited failures to employ “reasonable and appropriate” security measures, and the corresponding D&Os mandated a “reasonably designed” program to safeguard information.

Things changed in 2019. The FTC identifies nine of its 2019 actions as involving data security. Four of the cases do not shed any light on the evolution away from reasonableness as the basis for a cybersecurity program. One, RagingWire, concerns an alleged violation of the U.S.-EU Privacy Shield Framework. Another, Office Depot, while tagged as a data security case, actually deals with advertising misrepresentations. Two others, LifeLock and LabMD, deal with new activity in old, previously resolved matters.

The five remaining actions—InfoTrax Systems, LightYear Dealer Technologies, Equifax, ClixSense.com and D-Link—all originate with complaints alleging a failure to provide reasonable information security in violation of the unfair practices prohibition, the Gramm-Leach-Bliley SafeguardsRule, or both. Director Smith’s blog post adds i-Dressup and Retina-X to the list. Both of these cases involve violations of the Children’s Online Privacy Protection Act of 1998 (COPPA) but are not listed with the other cybersecurity cases on the FTC’s website. With respect to information security, all of these complaints are consistent with prior FTC actions. But the orders resolving the cases are very different.

“Reasonable” and “reasonably” are conspicuously absent from the operative information security language of these stipulated orders or decisions. The 2007 Guidance Software D&O mentions “reasonable” or “reasonably” three times in describing the required information security program. Pre-2019 D&Os with expanded requirements mention “reasonable” or “reasonably” four (Fandango and HTC America) or five (TRENDnet) times. Of the seven 2019 orders, only two use the word “reasonably,” and each uses it once to describe an information security obligation. Equifax requires “training for software developers relating to secure software development principles and intended to address well-known and reasonably foreseeable vulnerabilities.” Retina-X requires “[t]echnical measures to secure Respondents’ web applications and mobile applications and address well-known and reasonably foreseeable vulnerabilities.” In the other cases, reasonableness is entirely absent from the operative paragraphs.

Despite its absence from the operative language of 2019 orders, reasonableness lives on in multiple other ways in the FTC’s cybersecurity efforts. First, all the complaints in 2019 cases allege the respondent’s failure to maintain a “reasonable” cybersecurity regime. Reasonableness is the rule under the “cost-benefit” analysis required by Section 45(n) in “unfair practices” adjudications, the current Gramm-Leach-Bliley safeguard regulations, COPPA and its regulations.

Second, reasonableness is inescapable in FTC press releases touting the resolution of the cases: LightYear and ClixSense both “failed to take reasonable steps.” D-Link misrepresented that its security was reasonable. InfoTrax “failed to put in place reasonable safeguards.” Equifax’s “failure to take reasonable steps to secure its network led to a data breach in 2017 that affected approximately 147 million people.” Additionally, reasonableness was at the center of the FTC’s March 2019 Senate testimony on its data security practices.

Finally, while reasonableness has been excised from the 2019 orders, the FTC has replaced it with another open-ended construct: “at a minimum.” Whereas the pre-2019 reasonable security programs were described as “including” the Guidance Software requirements (and minor variations), the 2019 orders state that the listed requirements are only what must be done “at a minimum.” Thus, the orders’ explicit obligations — even when considerably expanded—may not be sufficient should the FTC look into the respondent’s security practices again. Inevitably, companies faced with requirements “at a minimum” will wonder: What more might be needed? FTC press releases suggest that the answer to this question likely remains “reasonable” cybersecurity, since based on the 2019 complaints, this remains the commission’s view of what is currently required by the various statutes and regulations under which it polices cybersecurity. The FTC’s new approach to cybersecurity thus faces the daunting task of enforcing a reasonableness standard without using the word “reasonable” in any orders.

It appears that the FTC was a bit more mindful of the LabMD decision than the Smith blog let on. But, from the LabMD perspective, the FTC may not be much better off. In LabMD, the U.S. Court of Appeals for the Eleventh Circuit deemed the reasonableness standard (including the five Guidance Software requirements) too vague to be enforceable. Excising the term may be an effort to prevent similar judicial disapproval. However, the new “at a minimum” approach falls short of offering significantly more clarity. An order setting “minimum” cybersecurity requirements does not provide a defendant with more specificity than one with the same requirements couched as describing a “reasonable” program.

The new “at a minimum” orders suffer from many of the ills of the condemned LabMDorder. They “contain[] no prohibitions” nor do they “instruct [respondents] to stop committing a specific act or practice.” Instead, like the LabMD action, they require the creation of a new data security program. The Eleventh Circuit tested the legality of an affirmative obligation like reasonableness by imagining a district court proceeding brought by the FTC to enforce its order. The appellate court balked at approving a situation in which experts in this imagined proceeding dueled over whether a security program was “reasonable.”

The Eleventh Circuit’s analysis would hardly yield better results for the new “at a minimum” orders. Even if the “at a minimum” orders are more specific in some regards, the FTC runs into new problems. Any effort by the FTC to add new requirements in a subsequent enforcement proceeding would require it to explain to the court why it should impose the new obligations. And it’s hard to imagine an explanation that doesn’t refer to the ultimate statutory standard: reasonableness. Even with the addition of new obligations, the Eleventh Circuit’s disfavored scenario—dueling experts “putting the district court in the position of managing” the details of a cybersecurity program—is still the most likely scenario. While the greater specificity in the newer orders is salutary, at a fundamental level neither the old nor the new approach leaves a respondent in a position to know exactly what it must do to fully meet its obligations.

Of course, even if “at a minimum” would fail appellate scrutiny, the FTC may have another nearly 20 year run with this as its standard. All but one of the FTC cybersecurity orders since 2002 ultimately were consensual, and settling respondents routinely waive their right to appeal. This overwhelming preference for settlement over litigation makes it likely that the FTC can continue its somewhat modified cybersecurity enforcement program without judicial interference.

However, the fact that the FTC can continue down this road does not mean that it should. There has always been a debate as to whether the FTC has the technical expertise or staffing to take on the mammoth task of regulating consumer cybersecurity. Even if the FTC does have the capability to take on the task, it is questionable whether the approach of piecemeal adjudication under the venerable “unfair practices” prohibition—effectively the FTC’s only cybersecurity tool given the limitations of Magnuson-Moss rulemaking—is a sensible basis for this critical effort.

The recent shift from the reasonableness standard demonstrates the limitations of this legal framework. Even if replacing “reasonable” with “at a minimum” in D&Os keeps the courts at bay, the resulting orders hardly provide businesses with greater clarity on what will keep the FTC at bay. Moreover, the FTC’s public adherence to reasonableness in spite of its orders reflects an increasingly obscure system unlikely to result in effective or coherent cybersecurity.

The ideal solution remains for Congress to create a robust cybersecurity framework and an agency empowered to enforce it. If that is to be the FTC, Congress must release the commission from its Magnuson-Moss shackles. Congress should instead provide the commission with Administrative Procedure Act (APA) rulemaking authority for consumer cybersecurity, free of a statutory reasonableness requirement, so that it can openly promulgate rules with public feedback. The commission has taken a first step toward more detailed rules, where it has the authority, by proposing new Gramm-Leach-Bliley rules that are far more prescriptive.

In the absence of congressional action, the FTC can build a better cybersecurity regime itself. It can improve the transparency and technical excellence of its enforcement practices and orders by linking them, as we have suggested previously, to the tools of other government agencies such as the Cybersecurity and Infrastructure Security Agency. This would also help ensure that the government speaks with one voice on cybersecurity.

Similarly, the FTC should continue to seek public feedback on its data security enforcement regime and show how it has responded to that feedback. The FTC stated that its “Hearings on Competition and Consumer Protection in the 21st Century” series yielded valuable information. The Commission should share what information it found valuable from the hearing and how it is being used in the FTC’s enforcement actions. This step would help the Commission to build public confidence that it has a process for integrating public input into an effective and accountable cybersecurity regime, even absent APA rulemaking.

Despite these critiques, the FTC deserves credit for filling a dangerous void in America’s cybersecurity ecosystem. Moreover, Congress’s perennial sluggishness suggests the FTC, whatever its limitations, is likely to be holding the line on cybersecurity for the foreseeable future. It should do so by creating clear orders and by showing the public how their feedback will inform the FTC’s approach to cybersecurity for the new decade.

No comments: