FTC Says Cybersecurity Needs Loose Joints but Sharp Teeth
The FTC suggested that the FCC adopt a “flexible” cybersecurity certification program that will allow companies to anticipate and “adjust to evolving security threats” while providing “a strong enforcement program."
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
T-Mobile said in reply comments that it agrees with “the vast majority of commenting parties” that FCC involvement in wireless broadband cybersecurity would do more harm than good. “In the highly competitive mobile broadband wireless marketplace, wireless carriers such as T-Mobile have enormous market-driven incentives to protect the security of broadband infrastructure,” the company said. “The adoption of cyber security guidelines may actually undermine industry efforts.” Cybersecurity breaches are rare in wireless service and end up getting lots of publicity, T-Mobile said. “Customers that lose critical data or have personal information stolen are more likely to switch providers to remedy the perceived security flaws,” the carrier said. “As a result, wireless broadband providers have every business incentive to manage their networks to ensure ample protections are in place for safeguarding network and consumer information, and to maintain service continuity even in the event of a cyber attack."
NTCA called the FCC’s proposal for a cybersecurity certificate program “well intentioned” but not needed now. The program would impose “additional regulatory burdens for all carriers -- and particularly for small rural communications providers,” the group said. “The regulatory certification process, controlled by private auditors, will require an unnecessary intrusion into and examination of rural networks whose providers already have a hefty incentive to protect their customers from cyber threats. Furthermore, enforceability of the certification may be impractical.” Carriers “already have adequate market incentives to guard their customers from cyber attacks,” NTCA said.
But the National Association of State Utility Consumer Advocates said a voluntary program won’t prove effective. “NASUCA agrees with commentors that stakeholders are in a good position to secure the cyber-space assets they own and control, but also believes that a basic underlying structure of cyber-security principles and guidelines are necessary to ensure inter-operability of communications infrastructure and the continued inter-communication of threats and vulnerabilities between stakeholders,” the group said. “NASUCA believes it is prudent for the FCC to establish a ‘baseline’ of security requirements, in effect mandating a minimum set of national standards to ensure interoperability and establish a basic level of security. While preserving the telecommunication infrastructure, this also allows each company to do what is in its best interest to secure and protect the specific networks it operates.”
"Based on our law enforcement experience regarding data security, the FTC has recognized that there is no ‘one size fits all’ security plan,” the FTC said in comments to the FCC. They responded to a notice of inquiry on a proposal for a voluntary cybersecurity certification program for communications service providers. The FTC cited as a model the FTC’s safeguard rule under the Gramm-Leach-Bliley Act, which “allows companies to select specific safeguards that are appropriate to their size and complexity. … Because companies may grow over time, security measures should be scalable to accommodate potential changes in the security threats they might face as a consequence of expansion."
Any FCC rules on cybersecurity should allow companies “to take appropriate steps to guard against risks and vulnerabilities that can be reasonably anticipated,” the FTC said. The FTC’s case against ChoicePoint -- accused of allowing thieves to make off with 160,000 customer files because of lax security -- is illustrative, the filing said. “The FTC’s settlement with ChoicePoint required it to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program and to obtain audits by an independent third-party security professional every other year for 20 years.” The company didn’t abide by the settlement, but the FTC succeeded in broadening it and strengthening enforcement, the FTC said.
Concerning enforcement, the FTC said that if “consumers are to rely on a certification … it is important that a program … have the resources necessary to conduct regular reviews of participating companies, evaluate complaints of non-compliance and take remedial action where necessary.” The FTC pointed to a lawsuit by the agency against ControlScan, which the commission alleged had “deceived consumers about how often it actually monitored the sites it certified. … The settlement bars such misrepresentations and requires the company to take down its seals.”