Sensitive Data: What Constitutes 'Reasonable Protection'?

NIST's Cybersecurity Framework takes on new context for industry execs in light of FTC lawsuit against the Wyndham hotel chain over data security lapses.

posture and a set of standardized activities to follow to protect against and respond to cybersecurity threats.

As the Target data breach illustrates, even having the most sophisticated monitoring tools and measures is no guarantee that attackers won't get in. However, because the NIST guidelines represent the recommendations of hundreds of public- and private-sector organizations and companies, rather than government, the framework establishes what reasonable cybersecurity practices look like for a variety of industries.

De facto standard
Which brings us back once again to the FTC case. Legal experts -- including Gerald Ferguson, a data protection expert at law firm BakerHostetler, and former White House cybersecurity adviser Richard Clarke -- maintain that the NIST cybersecurity framework will become a de facto standard in cybersecurity-related lawsuits in determining whether companies took sufficient steps to protect their operations from attacks.

Industry executives must also expect that FTC attorneys will study every word of the framework. Don't miss the fact that FTC chairwoman Edith Ramirez requested legislation on Dec. 12 that would make the FTC's current practice of policing data breaches one of its official duties. While the FTC has the authority to police trade practices considered to be "unfair" and "deceptive" to consumers, its authority to police data breaches is less explicit.

That hasn't stopped the FTC from asserting itself. For example, the FTC and the Department of Justice issued a policy statement on April 10 to clarify that companies can share cybersecurity threat information with competitors without violating antitrust law. Such info sharing is seen as a critical step to improve cybersecurity, but companies have been reluctant to do so for fear of the trustbusters.  

The FTC and DOJ guidance not only provides legal cover, but it also encourages companies to use the cybersecurity framework.

This isn't to say that companies have been sharing no threat information; a number of sectors have established groups for that purpose. For instance, amid denial-of-service attacks on the websites of leading US banks over the last few years, banks formed the Financial Services Information Sharing and Analysis Center to swap relevant information with one another and with the federal government. Nonprofit organizations such as Boston's Advanced Cyber Security Center, the Bay Area Security Council, and ChicagoFirst have brought together companies across industries in major metropolitan areas.

No one, including those who helped craft the federal cybersecurity framework, thinks its guidelines will address every security issue that US companies face. But they're starting to address the question every CEO must answer sooner or later: What do reasonable cybersecurity protections look like and is my organization adhering to them?

Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators. Read our InformationWeek Elite 100 issue today.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing