Why Education and Training Matter to Cybersecurity Compliance

Cybersecurity is an overwhelming problem – so overwhelming that it seems impossible to address.  From the legal and compliance perspective, the problem is compounded by a lack of clear regulatory rules or judicial precedent about what kinds of measures might be sufficient to mitigate the risk of liability for a data breach or other cybersecurity incident.  One important step every business can take, however, is to implement a cybersecurity compliance training program.

Training as a Component of Legal Compliance

The “gold standard” for managing cybersecurity risk is the NIST Cybersecurity Framework.  The NIST Framework identifies four “tiers” of cybersecurity compliance, with Tier 1 representing the lowest degree of compliance and Tier 4 the highest.  A principle driver of how an organization can move up from Tier 1 through Tier 4 is organizational knowledge.  In Tier 1, according to the Framework,

There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.

Id. at 10.  In contrast, at Tier 4,

There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

Id. at 11.  In order to move up through the Tiers, an organization must ensure that “[a]pplicable information from organizational privacy policies is included in cybersecurity workforce training and awareness activities.”  Id. at 16.

The FTC also emphasizes the importance of cybersecurity training.  In the Opinion of the Commision in In the Matter of LabMD, Inc., FTC Docket No. 9357 (July 29, 2016), the Commission found that

LabMD did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing. It also failed to monitor traffic coming across its firewalls. In addition, LabMD failed to provide its employees with data security training. And it failed to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.

Id. at 11-12 (emphasis in original).  Concerning training, the FTC noted, “[e]ven where basic hardware and software data security mechanisms are in place, there is an increased likelihood of exposing consumers’ personal information if employees are not adequately trained.”  Id. at 14.  The Eleventh Circuit recently stayed the FTC’s Order in LabMD over concerns about the Commission’s statutory authority over general cybersecurity issues.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016).  Meanwhile, the FTC continues aggressively to pursue cybersecurity enforcement actions.  However the Eleventh Circuit litigation turns out, the FTC’s emphasis on cybersecurity training will continue to inform standards of legal liability, both before the FTC and other authorities.

The emphasis on training is also evident in the recently proposed New York State Department of Financial Services Cybersecurity Regulations.  See New York State Department of Financial Services Proposed 23 NYCRR 500 (Dec. 28, 2016).  The NYDFS regulations created national headlines because they will cover a wide array of entities, including most of the U.S. and multinational banking sector, with any connection to financial service business in New York.  The regulations state that every covered organization must “provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” Id., §  500.10  The proposed NYDFS Regulation further states that all covered entities must “provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”  Id., § 500.14.

The NIST, FTC, and NYDFS sources cited above are only a few recent prominent examples of why cybersecurity training is important.  The importance of adequate cybersecurity training will continue to resonate through statutory, regulatory and case law developments concerning cybersecurity liability for many years to come.

Training About What, For Whom, By Whom?

This discussion of “training” raises the obvious question of what kind of content the training should include, who should receive training, and who should perform the training.  There is no one-size-fits-all answer to these questions.  Obviously, Information Technology and Security professionals will need highly specialized technical training, which may come in the form of advanced degrees or industry certifications in the details of network configuration, digital forensics and the like.  But perhaps less obviously, all members of the organization, from the C-Suite to operations to sales, should receive cybersecurity training appropriate to their functions.

General cybersecurity training should cover concepts such as organizational risks from cyber threats, basic principles of cyber risk measurement, common types of cyber attacks, good cyber hygiene, procedures for reporting cybersecurity incidents, and awareness of the organization’s legal and regulatory environment relating to cybersecurity risks.  The LabMD case supplies one cautionary tale about how training could have helped:  the breach in that case resulted from LabMD’s billing manager using Peer-to-Peer software to download music while at work, and the resulting costs of the FTC action helped bankrupt the company.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016) (noting that “[t]he costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation.”).   Perhaps if that billing manager had known about the enormous vulnerabilities presented by P2P software she would not have used it at work and the company would still be in business.  Another good example relates to a common kind of “social engineering” attack.  Cyber criminals sometimes leave USB memory sticks containing malware in open areas such as parking lots and reception areas.  Employees who find these “lost” memory sticks are often compelled by curiosity to plug them in – after all, perhaps they contain racy photos from the boss’s party last weekend, or secret documents worth millions! – but once plugged in they unleash havoc on the company network.  A good training program will highlight this kind of risk and will connect the risk to a compliance program that provides clear procedures for the handling and disposal of orphaned USB sticks.

The final question is who should perform the training.  The first requirement, of course, is that the trainers are thoroughly knowledgeable about cybersecurity risks, compliance procedures, and the organization’s legal and regulatory environment.  Technical professionals need technical training, but for most people in an organization, the training required is more policy oriented.  This means that not only IT, but also the organization’s risk management, human resources, and legal functions should become involved in crafting and delivering the training.  Since cybersecurity training should be connected to an organization’s comprehensive cybersecurity policy, and since a proper cybersecurity policy should flow from the Board of Directors, inside and/or outside counsel should play a key role in this process.  Legal counsel can ensure that the organization’s cybersecurity program is consistent with the organization’s legal and regulatory environment, and can also, if appropriate, seek to protect elements of the program within the attorney-client and work product privileges in the event of an investigation or dispute.

Conclusion

Cybersecurity risks cannot be ignored.  This is true not only as a practical matter, but also as a legal and compliance issue.  The need for cybersecurity training at all levels of an organization is embedded in the emerging regulatory consensus about what is required to satisfy an organization’s basic legal obligations.  Legal counsel can play an important role in helping shape and deliver an organization’s cybersecurity training program.

FTC Data Breach Response Guide

150px-us-federaltradecommission-seal-svgThe FTC has issued a new data breach response guide for businesses.  There is a good amount of useful information in the guide, particularly in the steps to take immediately upon learning of a data breach.  In particular, the steps to secure affected operations are important, including assembling a forensic and legal team, securing physical spaces, and taking equipment offline without destroying data that might provide clues about the origin of the breach.  I’m a bit less certain about the guide’s “Model Letter” for breach notification to customers.  A model might be helpful, but as the guide notes, there are varying state breach reporting requirements, so the model form will need tailoring for specific jurisdictions.

Perhaps the most interesting aspect of the guide, however, is what it suggests about the FTC’s enforcement intentions and how the FTC views the standard of care for responding to a breach.  A guide such as this one provides an indication of what kind of response the FTC might deem inadequate and therefore potentially subject to an enforcement action, not only for the circumstances leading up to the breach, but also for a poorly executed response.

The FTC, Ransomware, and You

150px-us-federaltradecommission-seal-svgRansomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid.  Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key.  An FBI Alert issued last week stated that ransomware infections are at an “all-time high.”  According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day.  Id.  Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs.  The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation.  This means companies now face two kinds of liabilities from ransomware:  business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance.  Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission.  Legal challenges to the FTC’s authority over cybersecurity so far have failed.  In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data.  And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues.  See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware.  Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)).  In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’”  Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)).  While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions.  Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947):  B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous.  This means just about any kind of precaution could be considered reasonable.  Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.”  In the Matter of LabMD, at 11.   “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network.  See SANS Institute InfoSec Reading Room, Penetration Testing:  Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care.  According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.”  Id. at 3-4.  The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.”  Id. at 3.  The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware.  See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel.  And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident.  In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism.  However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks.  In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data.  Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances.  Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.

NY Department of Financial Services Cybersecurity Regulations

Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions.  The regulations would require covered entities to

  • Maintain written internal cybersecurity policies and procedures;
  • Maintain policies and procedures to ensure the security of data held by third party providers;
  • Adopt multi-factor authentication for some resources;
  • Designate a CISO responsible for the institution’s cybersecurity program;
  • Adopt procedures and guidelines to ensure the security of applications used by the entity;
  • Employ personnel adequate to manage the entity’s cyber risks;
  • Conduct annual penetration testing and quarterly vulnerability assessments;
  • Maintain an audit trail system; and
  • Notify the Department of cyber incidents.

While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance.  The requirement to employ certain kinds of personnel, in particular, will be controversial.