Friday, March 10, 2017

Cybersecurity Rule Setting the Mark

Cybersecurity rule ideas, so far, have been piecemeal throughout the United States despite the numerous efforts.  Opposite to the European Union’s efforts through their General Data Protection Regulation (GDPR) initiative, in the U.S. we have no such thing.  We do have bolstering amendments to Gramm-Leach-Bliley Act, embodied in the Consumer Data Security and Notification Act of 2015 that seek to require financial institutions to notify of the data breach incident. While the term industries has expanded to encompass all entities that have handling operational responsibilities with consumer financial information, Congress responded to California’s promulgation of the California Notice of Security Breach Act, by itself proposing the Information Protection and Security Act.  The race is on to set provisions with teeth that cut through the obstacles in cybersecurity and data management and be responsive to consumer protection needs. 
Needless to say, companies have been required to address cybersecurity and the management of data, especially personal identifying information (PII).  There is also a growing concern with the occurrence of corporate spying and the impetus that led to the Spy Act, i.e., Securely Protect Yourself Against Cyber Trespass Act.  Though not a success, since 2011, initiatives have addressed legislative reforms to meet the concerns with information sharing, data management, cloud transfers, especially with the E.U. and the entities conducting business in the E.U.  But the matter of setting a cyber security regulation has now been placed center-stage by the State of New York. In a press release, New York’s Department of Financial Services (DFS), announced its Rule to “protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” The rule took effect March 1, 2017.  The release noted that the provision “will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”   
The scope of its coverage hits all the points, including responsible connection along the lines of contracts by defining affiliates, penetration testing, persons, public available information, and as well the recurring monitoring obligation via risk assessments, authentications, and setting programs for advisory roles.  More so it provides for its scope over authorized users and covered entities. The "authorized user" is deemed to be an employee, contractors, or agent with authorized access to the information systems of the covered entity.  Its structure is labeled aptly with a girding focus on providing for a cybersecurity program, policy, chief information security officer, penetration testing, vulnerability assessments, results audits and screening, application security, personnel qualifications and clearances, vendor cybersecurity policies, and response plans. The requirements also delve into the encryption, multi-factor authentication, training, monitoring, notifications, post incident assessments, pre-incident security integrity audits and post-incident audits, and the expected implementation and enforcement.
While the rule takes effect, many entities will face compliance concerns with their policies and contracts.  The example being set by New York’s DFS will probably catch the eye of Washington and set an example for other states, especially as the EU gets closer to enforce its GDPR.  All concerns with cyber-attacks and cyber incidents are arising and it seems the lawmakers are seeing the need.  The general hope is that the initiative catches the  attention of managers and heads of covered entities and those in the fringes for the sake of cyber peace of mind and consumer protection at large. It may even wake up other states too.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.

Thursday, March 9, 2017

Internet of Things Security Claims

Internet of Things security claims have caught the attention of lawmakers and regulators. The Internet has been interesting to follow and work with as a realm of process and information exchange.  As the devices used to transmit information increase in our lives and work, protecting what is transmitted from unwanted eyes is not necessarily going in the same direction as the advancement of innovation.  With that concern is the Federal Trade Commission determining that standards are needed to address foreseen vulnerabilities.  These vulnerabilities were of concern when the FTC’s study focused on devices transmitting amid networks through the concept of the Internet of Things (IoT).
Since 2014, efforts to standardize measures to enhance cyber security were taking shape with Executive Order and the Cybersecurity Enhancement Act of 2014.  The emphasis was to perpetuate the work of the National Institute of Standards and Technology (NIST).  The FTC acknowledges the urgency with in which Web applications are being deployed to achieve tangible communication features for daily used devices.
Along with these concerns, the FTC saw fit to file a complaint against a device manufacturer of devices commonly used for Internet access and transmission.  The angle taken by the FTC regarding D-Link was one based on weaknesses on cyber security.  The claims were not based on actual consumer harm experienced by consumers, but rather on the security of cyber itself.  This complaint was addressing IoT devices, such as routers, cameras and their Internet Protocol.  The FTC also discussed the software that is implemented to achieve the desired transmission for devices to work as desired.  This approach also peered into consumers use of mobile apps in the transmission and delivery of communications.
Under the authority to address misrepresentation in business practices, the FTC seeks to determine of an entity misguided consumers into believing and trusting its representation, especially if the claims were of the cyber security nature, touting that measures were implemented to a level of prevention when they were not.   Section 5(a) of the FTC Act, provides authority consistent with this role and pursuit in the D-Link matter.  Claiming to implement security measure when the very commonly accepted measure was not, the FTC deems deceptive under its Act.  To aggravate the matter, if the measures that were not taken are the ones that are reasonable to implement, and that they are known in the industry to prevent, if implemented, unauthorized access, then the entity is failing to take reasonable precautions.  D-Link was considered to have deceptively led consumers to believe that security features were in place with its claims.
It is noteworthy that the issue of actual harm was not at the gravamen of the filing but rather the deceptive aspect of cyber security claims by the devise manufacturer.  This matter is telling for business.  If they advertise claiming security features, such claims better be backed up with reasonable measures to meet the claims.  The FTC takes seriously claims without supporting measures.  If the practices to ensure that the claims are met are indeed industry reasonable measures, the business in question will face a hurdle of credibility and reputation in the industry, not to mention the scrutiny of the FTC.
Advertising is key to business growth and brand development. Advertising, on the other hand, done with over statements and exaggerations and non-carried-out claims, is only asking for trouble.  Business should take care to address their policies, manuals, promotions, packaging, advertisements, with an honest involvement with the technical stakeholders of the business and management before publishing any security claims to the consumer public.  If carelessly crafted and promoted, materials published by a business will be seen as deceptive and will run counter to FTC guidelines which are intended to establish standards of practice, addressing considerations for Internet of Things devices.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.