Sensitive Data: What Constitutes 'Reasonable Protection'?
NIST's Cybersecurity Framework takes on new context for industry execs in light of FTC lawsuit against the Wyndham hotel chain over data security lapses.
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)
A Federal Trade Commission lawsuit now before the federal courts, alleging that the Wyndham hotel chain failed to make reasonable efforts to protect consumer information, offers a cautionary tale to all executives. The concern: How do companies decide what constitutes "reasonable protections" of sensitive data -- and how do they know if they're meeting that standard?
The lawsuit promises to bring attention and context to a set of voluntary national cybersecurity guidelines released in February by the National Institute of Standards and Technology (NIST), designed to help executives address those questions, as InformationWeek Government contributing writer William Jackson reports this week.
The case against Wyndham Worldwide and three subsidiaries involves the theft of hundreds of thousands of consumer debit- and credit-card numbers, after hackers allegedly broke into Wyndham's corporate computer system and systems of several individual hotels from 2008 to early 2010. (This theft pales in comparison to the massive breach of Target's point of sale systemslate last year, which affected as many as 70 million customers.) The case is as much about whether the Federal Trade Commission has the authority to police Wyndham as it is about the company's security practices.
In her April 7 decision to let the case proceed, US District Judge Esther Salas ruled that the FTC indeed has the power to regulate corporate data-security practices -- and made it clear that executives had better take their companies' data-security precautions more seriously.
But what constitutes reasonable protections and the role the new federal cybersecurity framework might play? Although protecting consumer data and the nation's critical-infrastructure facilities might seem to be two different endeavors, they share a common need to assess and protect against risks.
Back in December 2008, around the time hackers were finding their way into Wyndham's computer systems, former Defense Information Systems Agency director Harry D. Raduege and a federal commission filled with security experts delivered a report to President Obama that laid bare how vulnerable the nation's privately held critical-infrastructure systems were to cyberattacks.
Some industries were deemed better prepared than others. Companies in charge of the nation's energy and water supplies, those operating communications and transportation networks, and those in a dozen other industries, including healthcare and banking, were said to be ill-prepared to protect their operations from increasingly sophisticated cyber-attacks. The risk of economic catastrophe loomed large. Moreover, there existed no clear baseline across all those industries to establish a set of protections.
For better or worse, Congress has been unable to agree on a legislative remedy, leading President Obama to issue an executive order last May calling for industry leaders and NIST to hammer out a set of cybersecurity best-practices, resulting in the framework NIST released for infrastructure operators in February.
The guidelines give industry executives something their counterparts at Wyndham probably wish they had: a template for assessing their security
Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?