Government // Cybersecurity
Commentary
4/22/2014
09:46 AM
Wyatt Kash
Wyatt Kash
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Sensitive Data: What Constitutes 'Reasonable Protection'?

NIST's Cybersecurity Framework takes on new context for industry execs in light of FTC lawsuit against the Wyndham hotel chain over data security lapses.

 

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

A Federal Trade Commission lawsuit now before the federal courts, alleging that the Wyndham hotel chain failed to make reasonable efforts to protect consumer information, offers a cautionary tale to all executives. The concern: How do companies decide what constitutes "reasonable protections" of sensitive data -- and how do they know if they're meeting that standard?

The lawsuit promises to bring attention and context to a set of voluntary national cybersecurity guidelines released in February by the National Institute of Standards and Technology (NIST), designed to help executives address those questions, as InformationWeek Government contributing writer William Jackson reports this week.

The case against Wyndham Worldwide and three subsidiaries involves the theft of hundreds of thousands of consumer debit- and credit-card numbers, after hackers allegedly broke into Wyndham's corporate computer system and systems of several individual hotels from 2008 to early 2010. (This theft pales in comparison to the massive breach of Target's point of sale systems late last year, which affected as many as 70 million customers.) The case is as much about whether the Federal Trade Commission has the authority to police Wyndham as it is about the company's security practices.

In her April 7 decision to let the case proceed, US District Judge Esther Salas ruled that the FTC indeed has the power to regulate corporate data-security practices -- and made it clear that executives had better take their companies' data-security precautions more seriously.

[NIST's cybersecurity framework gives critical infrastructure operators a new tool to assess readiness. Read Protecting Critical Infrastructure: A New Approach.]

But what constitutes reasonable protections and the role the new federal cybersecurity framework might play? Although protecting consumer data and the nation's critical-infrastructure facilities might seem to be two different endeavors, they share a common need to assess and protect against risks. 

Back in December 2008, around the time hackers were finding their way into Wyndham's computer systems, former Defense Information Systems Agency director Harry D. Raduege and a federal commission filled with security experts delivered a report to President Obama that laid bare how vulnerable the nation's privately held critical-infrastructure systems were to cyberattacks.

Some industries were deemed better prepared than others. Companies in charge of the nation's energy and water supplies, those operating communications and transportation networks, and those in a dozen other industries, including healthcare and banking, were said to be ill-prepared to protect their operations from increasingly sophisticated cyber-attacks. The risk of economic catastrophe loomed large. Moreover, there existed no clear baseline across all those industries to establish a set of protections.

For better or worse, Congress has been unable to agree on a legislative remedy, leading President Obama to issue an executive order last May calling for industry leaders and NIST to hammer out a set of cybersecurity best-practices, resulting in the framework NIST released for infrastructure operators in February.

The guidelines give industry executives something their counterparts at Wyndham probably wish they had: a template for assessing their security

Next Page

Wyatt Kash is a former Editor of InformationWeek Government, and currently VP for Content Strategy at ScoopMedia. He has covered government IT and technology trends since 2004, as Editor-in-Chief of Government Computer News and Defense Systems (owned by The Washington Post ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BobH088
50%
50%
BobH088,
User Rank: Apprentice
4/23/2014 | 9:16:17 PM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
WKash
50%
50%
WKash,
User Rank: Author
4/22/2014 | 1:59:07 PM
Re: Legislate outcomes, don't mandate requirements
Thanks Drew for clarifying that.  I think how you put it: "(Companies) have a legal obligation to protect customer data" and "have a legal obligation to publicly report the unauthorized exposure of customer data"-- is on the money. 

One of the big challenge that remains is determining when and whether companies are legally at fault when data is breached -- as it inevitably will be -- and how to assess the penalties.  One of the things the cyber securitiy framework does, at least, is establish a minimum security measures across industries on which to build a case for critical infrastructure protection.  We still need a comparable document for consumer data protection.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 1:35:51 PM
Re: Legislate outcomes, don't mandate requirements
Hi Wyatt,


Thanks for the comment. I think I was a bit inarticulate. I don't want the government to set the requirements for how to protect the data, because you're right, technology changes faster than the government can keep up with.

I want the government to say "You have a legal obligation to protect customer data" and "you have a legal obligation to publicly report the unauthorized exposure of customer data" and pretty much leave it at that. If companies fail in either of those obligations, that would open them to repercussions.
WKash
50%
50%
WKash,
User Rank: Author
4/22/2014 | 1:03:21 PM
Re: Legislate outcomes, don't mandate requirements
Thanks for weighing in on this Drew.  I think you half-right: Government should set penalties for failure to protect data.  But I believe -- and that most in industry believe -- that Government shouldn't be in the business of setting "rules that mandate the protection of customer data" as you suggest, in part, because history has shown that rules fail to keep up with the rapid changes in technology (and the products/services that evolve from them.)  I do agree, focus on the outcomes, not compliance, is the better way to go. 
Lorna Garey
100%
0%
Lorna Garey,
User Rank: Author
4/22/2014 | 11:58:58 AM
Re: Legislate outcomes, don't mandate requirements
Exactly, but the key is to make the penalties have teeth. We've all heard about HC firms that would rather pay HIPAA fines, if they ever are caught, because the fines cost significantly less than being compliant. The penalty should be a percentage of company earnings so that the amount scales and dings large and small equally, plus mandates to offer credit monitoring services.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 11:54:37 AM
Re: Legislate outcomes, don't mandate requirements
PCI was very much on my mind when I was writing that response.
RobPreston
50%
50%
RobPreston,
User Rank: Author
4/22/2014 | 11:42:31 AM
Re: Legislate outcomes, don't mandate requirements
Drew, I'm sure you're thinking what I'm thinking: Telling companies HOW to reach an outcome rather than punishing them for not reaching the desired outcome smacks of PCI, which has become a dance around the auditors.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
4/22/2014 | 10:45:41 AM
Legislate outcomes, don't mandate requirements
I think it's useful to have organizations like NIST provide guidelines that companies can use, but I'd rather have the federal government provide very clear rules that mandate the protection of customer data, and the potential penalities for failure (fines, lawsuits, etc) instead of trying to tell companies how to protect customer data. You can mandate all the security requirements you want: organizations will still get breached. Rather than make companies jump through regulatory hoops to demonstrate compliance, set clear penalties for failure and then organizations put their efforts into protection and response rather than trying to play "find the loophole" or "satisfy the auditor."
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.