By Bill Butler
In August 2016, the Federal Trade Commission (“FTC”) addressed the effect of the Cybersecurity Framework (“NIST Framework”) issued by the National Institute of Standards and Technology on FTC enforcement actions under Section 5 of the FTC Act. While there have been few enforcement actions to gauge the actual impact of the NIST Framework, the FTC’s recent public comment on the National Telecommunications and Information Administration’s (“NTIA”) proposed “coordinated vulnerability disclosure” template (“Template”) further signals that the FTC endorses the principles set forth in the NIST Framework.
Last month, the FTC submitted its public comment on NTIA’s proposed Template. The Template is intended to help companies communicate with security researchers regarding company policies for receiving and responding to information about security vulnerabilities in their products and services. In the comment, the FTC highlighted that its enforcement actions have encouraged the exchange between companies and security researchers as part of “a comprehensive plan to ensure the security of software and consumer devices throughout the product lifecycle.” The FTC also noted that the Template offers companies “an adaptable model for implementing a vulnerability disclosure policy appropriately tailored to the company’s size and resources.” Finally, the FTC suggested that the Template could “create common expectations with respect to processes for vulnerability disclosure, communication, and remediation.”
These comments are consistent with many of the same points the FTC emphasized in discussing the NIST Framework. To review, the FTC considers the NIST Framework as a point of reference to help companies to assess cybersecurity risks and threats and develop a plan to maintain and improve their cybersecurity systems. But the FTC carefully noted that the NIST Framework is not a standard or a checklist, and that the FTC does not require any sort of specific “compliance” with the NIST Framework. Rather, it characterized the NIST Framework and its five “functions” – Identify, Protect, Detect, Respond, and Recover – as guidance for a company’s cybersecurity efforts to comply with FTC standards and help avoid FTC enforcement actions.
In describing the individual NIST Framework “functions,” the FTC specifically addressed some of the measures now raised in the FTC’s public comment on the Template. For instance, the FTC noted that the NIST Framework’s “Identify” function should encourage companies to “[r]eceive threat and vulnerability information from information sharing forums and sources” and “[e]stablish . . . risk management processes that are agreed to by organizational stakeholders.” More broadly, the FTC emphasized that the NIST Framework encourages companies to tailor data security systems to different threats, vulnerabilities, and risk tolerances.
The consistency between the FTC’s comments on the NIST Framework and the Template should signal to companies that the FTC strongly endorses both the NIST Framework and the Template in developing, supplementing, and maintaining a data security system. Moreover, because the FTC considers vulnerability disclosure policies to be a “cost-effective and efficient” measure to address vulnerabilities, companies should pay close attention to developments with the NTIA’s Template and implement it where appropriate.