What is a “Reasonable Security Practice”?

The Third Circuit appellate court also held that the FTC's recent enforcement actions give ample notice of what constitutes an inadequate security program and, by inference, some indication of adequacy. The Wyndham complaint reads as a laundry list of what not to do. Among other things, FTC alleges that Wyndham: (i) stored credit card information in clearly readable text, (ii) permitted the use of easily guessed passwords, (iii) failed to use reasonable measures to protect against attack, such as firewalls, (iv) failed to implement adequate policies and procedures (such as permitting the network to be accessed using an out-of-date operating system, (v) permitting individual hotel servers to connect to Wyndham’s network through default passwords and IDs which were easily discoverable by hackers, and (vi) insufficiently restricting third party access to the Wyndham network, etc.

To demonstrate that they have reasonable security practices in place, enterprises must understand what software’s are used throughout the organization, how it is used and constantly monitor code for potential vulnerabilities. In addition, CIOs should consider working more closely with their internal procurement organizations to identify secure code during the sourcing process.

Is Some Code More Secure than Others?

A traditional argument in favor of the use of open source software has been that open source is more secure than proprietary code. In theory, more eyeballs on open source software should result in fewer bugs and less potential for the inclusion of security vulnerabilities but 2014 was an awakening for the open source community in terms of software security— think Heartbleed and Shellshock. Heartbleed remediation was a logistical nightmare for enterprises which lacked visibility into the open source used in their infrastructure.

"The Federal Trade Commission (FTC) has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information"

Today, the open source community is putting more emphasis on security in open source code and the ability to demonstrate that open source code is secure. But at an August 2015 Linux Foundation event (LinuxCon) in Seattle, Linus Torvalds, the driving force behind the Linux kernel and its chief architect struck a sobering note on the subject of cyber security. In his keynote, Torvalds said, “Security is bugs, completely stupid bugs that some clever person comes around and takes advantage of. We'll never get rid of bugs so security will never be perfect.” Torvalds continued “Open source is doing fairly well, but anyone who thinks we'll ever be completely secure is foolish."

Lulling Consumers into a False Sense of Security

It is a settled legal question that the FTC can prosecute enterprises which mislead or deceive consumers. Snapchat’s claim that user photos and videos that would self-destruct permanently after the recipient viewed them when in fact, Snapchat images were not actually deleted from users’ phones, is the deceptive practice which lead to a twenty year requirement of privacy reviews.

Similarly, the FTC brought a claim for deceptiveness based on the Wyndham privacy policy because Wyndham’s policy claimed the company safeguards, “Our Customers information by using standard industry practices” and “We make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations”.

As privacy policy review is a continuing theme in FTC enforcement actions and a ready source of deceptive claims, enterprises should avoid over-promising or misleading consumers regarding data security practices.

It will be interesting to see what claims the FTC might bring against Ashley Madison in light of recent events.

Three Takeaways:

1) Work with your supply chain to source secure code.

2) Track all code in your infrastructure both open and proprietary.

3) Don’t over-promise in a privacy policy.