Cybersecurity in One Voice: Leveraging CISA Programming to Improve FTC Cybersecurity Enforcement
The Federal Trade Commission (FTC) is the de facto national consumer-facing cybersecurity regulator. Since 1998, it has used its authority to police “unfair and deceptive” trade practices and to launch more than 70 enforcement actions against companies for having weak cybersecurity. However, its regulatory approach currently exists under a cloud of judicial skepticism. The FTC can ease this skepticism by explicitly linking its enforcement strategy with cybersecurity programs created by the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA). The government should make engagement with CISA programs a safe harbor from FTC enforcement actions. Doing so will both dramatically boost private-sector use of those programs and increase the clarity of the FTC’s cybersecurity enforcement program. This will improve cybersecurity for American consumers and businesses and put the FTC’s approach in a stronger position to survive judicial review.
The Problems With the FTC’s Current Approach
The FTC’s current cybersecurity enforcement efforts are grounded in a “reasonableness” standard: The FTC can accuse a company that fails to take “reasonable” cybersecurity measures of engaging in an unfair practice. Yet two cases, FTC v. Wyndham and FTC v. LabMD, suggest that the FTC’s approach fails to provide sufficient specificity on what constitutes unreasonable data security.
Wyndham is generally regarded as an FTC victory. The U.S. Court of Appeals for the 3rd Circuit found (for the first time) that lax cybersecurity could be declared an “unfair practice” and regulated by the FTC and that Wyndham was on the hook for its lax cybersecurity. Yet, there is an important—and still unresolved—question about the FTC’s approach in the court’s opinion. Part of Wyndham’s challenge to FTC enforcement action was that the company argued that it did not have “fair notice” from the FTC that its cybersecurity practices could be considered deficient under § 45(a), which outlaws unfair trade practices. The court rejected Wyndham’s argument that it did not receive fair notice. However, the court only considered whether Wyndham had statutory notice that its deficient cybersecurity could be an unfair practice—in essence, whether cybersecurity could ever be an unfair practice.
Notably, however, the Wyndham court did not decide that the various FTC determinations of unreasonableness were enough to provide those regulated with satisfactorily fair notice. The ruling in Wyndham hinged on the company’s particularly weak security. The court was skeptical that the FTC’s cybersecurity guidance would provide fair notice in a case where a company had more robust security than Wyndham’s strikingly lax practices or where liability turned on the FTC’s interpretation of what security practices are reasonable. The court worried that the sources of the FTC’s “common law,” such as agency guidebooks, complaints, and consent decrees, did not provide “ascertainable certainty” of the “specific requirements imposed by § 45(a).” Nor did the court think it fair to expect parties to look at complaints and consent orders in an effort to understand their cybersecurity obligations.
Concerns over the fairness of notice provided by the current “reasonableness” regime are compounded by the U.S. Court of Appeals for the 11th Circuit’s decision in LabMD, which called into serious question the enforceability of FTC orders requiring “reasonable” cybersecurity. The core of the FTC’s complaint against LabMD—as in all FTC unfair practices security complaints—was not that LabMD had engaged in a specific impermissible practice, but that, overall, it failed to implement reasonable data security. The FTC’s cease-and-desist order required LabMD to develop a data-security program that was “reasonably designed[,]” yet the order was vague on what such a program would entail.
LabMD argued on appeal that the FTC’s cease-and-desist order was unenforceable because it did not direct the company to cease committing any specific unfair act prohibited by § 45(a). After assuming for the sake of argument that LabMD’s acts constituted an unfair practice, the court agreed that the order was unenforceable. The LabMD court feared that a regulatory regime built on requiring “reasonable” behavior was too imprecise for judicial enforcement. Given the penalties that can be imposed for violating a cease-and-desist order (more than $41,000 per violation, or for a continuing violation, per day of violation), the court held that due process requires that “the prohibitions contained in cease-and-desist orders and injunctions must be specific.”
The court held that the cease-and-desist order the FTC issued against LabMD did not meet this standard. Rather than prohibiting LabMD from engaging in a specific practice, the order required LabMD to “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.” The 11th Circuit feared that upholding the FTC’s order would require a district court enforcing the order to referee endless disputes over whether a practice was “reasonable.” Together, Wyndham and LabMD suggest that the FTC’s common law approach toward reasonable cybersecurity is too vague for companies to discern it from the FTC’s guidance or for federal district courts to enforce. These cases also suggest the FTC’s cybersecurity enforcement practice will likely continue to be subject to judicial scrutiny.
In theory, the FTC could address both the 3rd and 11th Circuits’ concerns about vague cybersecurity standards by promulgating more prescriptive rules instead of relying on FTC common law, as the Department of Health and Human Services does under HIPAA. But the FTC’s ability to promulgate “unfair practices” regulations is severely circumscribed by the requirements of the Magnuson-Moss process, which are substantially less efficient than standard Administrative Procedure Act (APA) rulemaking.
There is some evidence that, were it a viable option, the FTC would regulate cybersecurity along more prescriptive lines via affirmative rules. The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act, is a case in point. Since 2002, the Safeguards Rule has required financial institutions to undertake actions “reasonably designed” to safeguard customer information. In this context, where the FTC can make rules using standard APA provisions rather than Magnuson-Moss, the commission recently proposed modifications to the Safeguards Rule. These new concrete rules are “based primarily” on the far more prescriptive cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners.
However, in areas like general consumer cybersecurity, where the FTC itself cannot easily issue more precise rules, the question becomes how to develop sufficiently precise guidance to add the specificity that the commission’s current common law approach lacks. Incorporating CISA programs and services into FTC guidance and enforcement actions is one way out of the FTC’s problem. This solution also offers a way out of a problem that CISA faces: lack of private-sector engagement.
Linking FTC Enforcement With CISA
Congress created CISA as a component of the Department of Homeland Security in November 2018 to improve domestic government and private-sector cybersecurity.The bill creating CISA reorganized Homeland Security’s National Protection and Programs Directorate by removing a number of non-cybersecurity-related components from its remit, and by elevating the status of the new cyber-focused agency within the department.
CISA offers a broad range of services designed to prevent and mitigate cyberattacks; however, engagement with the agency is voluntary. Although Homeland Security intended for CISA to encourage collaboration between government and the private sector, CISA’s lack of enforcement or regulatory power has limited its ability to drive engagement with its services. The FTC needs specific cybersecurity regulations to provide notice and enforceability; CISA needs a way to encourage greater private-sector engagement with its programs.
Connecting CISA tools to FTC enforcement standards and activities can provide the specificity, clarity and objectivity sought by the Wyndham and LabMD courts. The FTC has two avenues for making this connection: referring to CISA tools in formal and informal FTC guidance documents and using CISA tools as guides and reference points in enforcement actions. It should take both approaches.
The FTC publishes numerous formal and informal sources of guidance on what it considers sound and unsound cybersecurity. Formal FTC guidance includes reports such as “Start with Security,” which lists security flaws that resulted in FTC enforcement actions and broad suggestions for how such flaws could be remediated. The commission also offers basic guidance on data security through its Business Center website and its Stick with Security blog series. It has also used its blog to explain the factors it uses to initiate an enforcement action for unfair data-security practices. These resources are all part of what we referred to in the previous section as the FTC’s common law of cybersecurity.
While the Wyndham court was skeptical that these materials provided ascertainable certainty, the court gave little clarity as to what types of FTC guidance would pass muster. Under Wyndham it remains unclear whether adequate certainty comes from enumerating a list of behaviors to avoid or by telling companies what they should do. For instance, the FTC dutifully details egregiously bad cybersecurity practices in its administrative complaints issued to offending firms. Yet the Wyndham decision says these condemnations are of “little use ... in trying to understand the specific requirements imposed by § 45(a).” Meanwhile the Wyndham court criticizes the FTC’s effort to suggest “practices that form a ‘sound data security plan’” both as failing to “state that any particular practice is required by § 45(a)” and as failing to provide “ascertainable certainty” of what “specific cybersecurity practices fail § 45(n).” This puts the FTC in a difficult position as it looks for a standard that satisfies the court’s holding.
CISA programming can help FTC guidance offer this ascertainable certainty. For example, the eighth principle of the FTC’s “Start with Security” guide is “make sure your service providers implement reasonable security measures.” The current guidance for achieving this consists of a single page with highly general strategies that may or may not be applicable to a business such as requiring service providers to adopt encryption. CISA’s EDM tool, by contrast, is specifically designed to assess a business’s supply-chain vulnerability and offer advice tailored to the specific weaknesses facing that business. If “reasonable security measures” are defined by CISA’s EDM tool, businesses will have a far clearer understanding of FTC standards and FTC enforcement will be much more likely to survive judicial review.
The FTC has made cursory references to the Department of Homeland Security in its documents, but more specific references would provide greater certainty and guidance. For example, the FTC released “Cybersecurity for Small Business” as a product co-branded with Homeland Security, the National Institute of Standards and Technology and the Small Business Administration. Yet, despite being co-branded with Homeland Security, the guide does not reference department services (including CISA tools). The FTC offers two pages of general advice on protecting against phishing attacks without mentioning that CISA’s PCA tool offers companies a free customized assessment of their vulnerability to phishing attacks. The FTC guidance also fails to note that the PCA includes a report that provides objective evidence that the company is taking steps to address its phishing vulnerabilities. Direct reference to relevant CISA tools could be the more precise guidance the Wyndham court sought.
The same is true on enforcement side of the FTC’s regulatory process, where the FTC has two opportunities to use CISA programs. First, the FTC could reference CISA programs in its closing letters when it decides not to proceed with an enforcement action. The typical closing letter only broadly identifies what practices a company undertook that led to the favorable enforcement outcome. This is a missed opportunity for the FTC to identify sound cybersecurity practices. If a company participated in CISA programs, then stating in a closing letter that a company’s use of CISA programming mitigates the need for an enforcement action would prompt other entities to similarly leverage CISA’s free resources to improve their own cybersecurity.
Indeed, turning CISA programming into such a safe harbor by plainly stating that participating in CISA programming is a mitigating factor the FTC will consider when determining whether to initiate an enforcement action would improve overall American cybersecurity and give further clarity to businesses. Moreover, since this would be a general statement of agency policy, the FTC would avoid APA issues or the need to use the cumbersome Magnuson-Moss process.
Second, CISA programs can help address the LabMD court’s concerns about the specificity of injunctions and orders. Using its discretion to craft remedies to unfair practices, the FTC could issue guidance stating that, where reasonable to the circumstances of the case, it will henceforth use participation in CISA programming as the affirmative requirement of all enforcement dispositions. A federal judge enforcing an FTC order would only have to determine whether a company did or did not execute a particular set of CISA programs, rather than the more nebulous and subjective question of whether a given practice was “reasonable.” Referencing CISA programming in these dispositions will provide clear and administrable orders that still promote good cybersecurity.
Incorporating CISA programming into FTC orders offers the objective criteria for order and injunction administration that the LabMD court found lacking. For example, in 2010, the FTC brought a complaint against food and entertainment chain Dave & Buster’s. The complaint alleged that the company’s failure to use an intrusion detection system or to monitor traffic on its computer network was an inadequate data-security protocol that constituted an unfair practice. Dave & Buster’s agreed in an FTC consent order to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed[.]” This is precisely the order language that was found vague and unenforceable in LabMD.
An FTC order embracing CISA programming would instead reference CISA tools to create a clearer and more administrable order. For example, CISA’s VADeR assessment is designed to help identify suspicious network traffic, and its ECS program is designed to mitigate the possibility of the kind of unauthorized data exfiltration that compromised Dave & Buster’s. Participation in both of these services can easily be verified objectively: VADeR provides a report while ECS is a paid service whose providers could testify to participation in the service. Requiring companies to implement the recommendations from an assessment like VADeR eases administrability concerns. Rather than asking the more nebulous question about whether a particular company’s practice is reasonable, a court can ask whether a firm executed a concrete CISA program. The FTC inquiry would become a binary fact-finding exercise rather than a battle that puts a judge in the uncomfortable position of passing judgment on the reasonability of particular cybersecurity practices.
Some observers may argue that making CISA programming the baseline for reasonable data-security practices would decrease overall American cybersecurity. Their fear is that companies with security superior to CISA offerings will downgrade their security to the bare minimum necessary to be comparable to CISA. This is a common concern in cybersecurity regulation: A regulatory “floor” that is supposed to be the minimum standard instead becomes the ceiling as companies feel no incentive to improve their security beyond the minimum needed to avoid regulatory action. There are two responses to this concern. First, assuming companies did seek only adherence to a “floor” of basic CISA security standards, the current weak state of U.S. cybersecurity means that this change would nevertheless represent a substantial overall net improvement in American cybersecurity. Second, even if companies—despite the increasing real dollar losses associated with poor cybersecurity—did devolve to the CISA “floor,” CISA can be expected to modify the “floor” in order to continuously evolve as threats and technology change. This evolution will over time alter both the safe harbor and post-enforcement obligations in a positive direction.
In the likely continued absence of any comprehensive federal legislative action, the FTC’s enforcement efforts are, and will remain, a critical tool to increase national cybersecurity. Yet, Wyndham and LabMD have put the future of these efforts in doubt. At the same time, CISA has developed a broad array of cybersecurity tools but, lacking enforcement power, is still seeking ways to promote engagement with those tools. One agency has enforcement power but needs specific tools and standards, and the other has specific tools and standards but lacks enforcement capabilities.
These two agencies are a natural fit to solve each other’s problems. Referencing CISA programming in FTC orders and guidance offers a way to address the challenges posed by Wyndham and LabMD. And a CISA safe harbor from FTC enforcement would greatly encourage the use of this valuable CISA programming. A small win-win in a long battle.