The Best Practice Myth -

While everyone can discuss security, regulation, and privacy we first should understand this moving target called best practice and why we should care about it in great detail. The reason you should care is of three simple letters FTC or, more commonly known as, the Federal Trade Commission. Upon clicking the FTC link you can see right under the title Protecting America's Consumers. What is a consumer you might logically ask? It is everyone that purchases anything, interacts with anyone for the purpose of doing business or performing a service and covers profit and non-profit entities. Thus, the FTC is the ultimate regulatory body within the United States and covers all aspects of business or engagement with anyone that could be, even remotely, viewed as a "customer" aka consumer. Most people think the FTC has to do with stocks or bonds, sorry to say this but that is the SEC. So, hopefully at this point, you will have in your mind that the FTC involves every single business entity, profit or not, that performs actions, functions, activities, sells products, provides services, etc... within the USA.

So, can the FTC impose sanctions and so on for foreign companies? Sure can, they don't care where you are from if you are doing business in the US.

Considering that the FTC is the ultimate regulatory body for the USA, how many people know of the FTC security and privacy framework? You can try all you want to find one however it simply doesn't exist. The FTC assumes that if you are running a company (doesn't matter if it's for profit or not) then you should know the regulations that apply to you and are applying common sense as well as best practice. Unfortunately, best practice varies based on what technology is available and in comparison to what threat actors are attempting. Thus there are no actual guidelines to go off of in relation to best practice but really the collective opinion of supposed experts in their respective fields.

For example, best practice states that encryption should be used. OK, what kind of encryption? Should we use AES-128 or should we use AES-256? While AES-128 is legal to use is it safe to use vs just going with AES-256 in the first place? The regulation may state use "appropriate encryption" or may say a minimum level of encryption. This is where the FTC has the option to swoop in, investigate, and possibly impose sanctions. These sanctions can also be quite punishing and I'm specifically picking encryption as an example for this particular part.

So, lets say your company has suffered a breach and is using AES-128 per the minimum standards of what ever regulatory environment the company has to adhere to. Regardless that the regulation states one thing, the FTC can still come in and say "you should have known better" and "should have applied AES-256 given that AES-256 was so easily readible and would have incurred no additional cost or effort to implement". This is a prime example of how the FTC can "gotcha!".

Has the FTC exercised it's muscle before? You bet they have!

So what similarities do with have with the above examples. Only one...consumers. You see examples of commercial, financial, advertising, etc... plus these business can be of any and all sizes. The FTC's goal is to ensure that there is not an anticompetitive, deceptive, or unfair business environment and practices. Additionally, the FTC can enforce how it sees fit to include fines, court orders, and law enforcement options. As it is, you can read through the links to see the various fines however not all companies made it...Tower Records is out of business.

What can you do to protect yourself and your company? Firstly, is always do your best in what ever it is you need to do in order to protect your company. However, and likely the most important, is to be completely transparent with your customers/consumers and don't commit to anything you can't do. A very easy way for a company to get on the FTC radar is to be accused of "deceptive trade practices" or, in other words, lead your clients down the path that your company is doing something when in reality it is not for the purpose of getting the business. For example, if there was contractual language that there must be at least annual vendor due diligence and risk assessment review and that contract was signed under the pretense that the company was either going to, or already was, performing due diligence then that would definitely be "deceptive trade practices" as it would relate to that one area. At this point you, the reader, should be asking yourself if your company is completely compliant on your contractual obligations?

You may also want to consider the minimum requirements, per regulation, and determine if there is anything more you can do that doesn't add an extreme financial burden or effort. This could, possibly, help you in other areas as well by being able to show your company went above and beyond the regulatory requirements.

Another area that should be considered is contractual language around what and when your clients could possibly perform their own audits against your company. Ideally you want as long as possible to ensure a successful audit because an unsuccessful audit could lead to an FTC complaint.

Contact Arrakis for more information.