On June 6, 2018, the Eleventh Circuit vacated a cease and desist order issued by the FTC against LabMD as unenforceably vague. The FTC’s Order, which resulted from a finding that LabMD had failed to maintain an adequate cybersecurity program, directed LabMD to “establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers. . . .” In short, it required LabMD to raise the standard of its cybersecurity program without specifying the means to achieve that requirement. The Eleventh Circuit held that the Order was so broad that it could not be enforced or administrated, and failed to include “any meaningful standard informing the court of what constitutes a ‘reasonably designed’ data-security program.”
The Eleventh Circuit’s LabMD decision highlights the ongoing debate over whether cybersecurity regulations should be standards-based or rules-based. The standards-based approach favors broad, flexible requirements that mandate that a company establish a “reasonable” or “industry standard” cybersecurity program, without indicating how. In addition to the FTC, many cybersecurity regulators have adopted a primarily standards-based approach.
California state law, for example, requires businesses to “implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Similar language appears in the cybersecurity laws in Illinois, Colorado and Louisiana. In Europe, GDPR requires organizations to establish a cybersecurity program that addresses six principles for the processing of personal data, including “lawfulness, fairness, and transparency,” “purpose limitation,” “data minimisation,” “accuracy,” “storage limitation,” and “integrity and confidentiality.”
Proponents of the standards-based approach argue that having general and flexible requirements is the right model for cybersecurity regulations because they must be applied to companies that operate on different scales, and with very different types of data, resources, and risk profiles, which makes a one-size-fits-all approach impractical. They also argue that flexible standards are necessary because cyber threats and technology are constantly changing, so specific measures that may be adequate one month may be insufficient the next.
In its LabMD decision, the Eleventh Circuit lent support to proponents of the rules-based approach to cybersecurity regulation, which favors concrete measures that a company must take to be deemed compliant, largely without regard to its particular characteristics. Rather than requiring companies to meet current industry standards or best practices, rules-based cyber regulation creates them.
The standard-bearer for the rules-based approach to cybersecurity is the New York Department of Financial Services (NYDFS), which imposes significant, detailed responsibilities on covered entities, including:
- The element of its written incident response plan
- Limitation on access privileges
- Regular training
- Penetration testing and vulnerability assessments
- Multi-factor authentication
- Application security
- Monitoring activity of authorized users
- Data minimization
- Vendor management
Similarly, the National Association of Insurance Commissioners have issued an Insurance Data Security Model Law that includes specific measures akin to the NYDFS rules. That law has already been adopted by South Carolina, with other states considering similar measures. Massachusetts has also long mandated specific elements for information security programs, including secure user authentication protocols, encryption, and firewall protection.
The most obvious regulatory advantage of the rules-based approach is some degree of certainty, for both the regulators and the regulated entities, in terms of what is required. To address some of the concerns that a one-size-fits-all approach places too heavy a burden on small companies, the NYDFS rules allow for exemptions from certain specific requirements for very small companies (fewer than 10 employees) or if, based on a risk assessment, the company implements effective alternative compensating controls that are reviewed and approved by the CISO.
In its first cyber enforcement action, the NYDFS reaffirmed its commitment to its rules-based approach. On June 27, the NYDFS announced that Equifax had agreed to take corrective action for its 2017 data breach, as set forth in a consent order that involved seven other state banking regulators. In contrast to the FTC’s LabMD order, the NYDFS Equifax order includes specific requirements, including:
- The Equifax board must review and approve a written risk assessment that identifies (1) foreseeable threats and vulnerabilities to the confidentiality of personally identifiable information; (2) the likelihood of threats; (3) the potential damage to the company’s business operations; and (4) the safeguards and mitigating controls that address each threat and vulnerability.
- Equifax must improve standards and controls for supporting the patch management function. An effective patch management program must be implemented to reduce the number of unpatched systems and instances of extended patching time frames.
- Equifax must enhance oversight of IT operations as it relates to disaster recovery and business continuity function.
The Eleventh Circuit’s decision is likely not a death blow to the FTC’s remedial powers and preferences. The agency may continue to pursue a standards-based approach by encouraging settlement agreements and tailoring cease and desist orders to accommodate the LabMD decision. Still, the Eleventh Circuit’s decision and recent actions by the NYDFS and the other state regulators who joined in the Equifax resolution, places another weight on the scale in favor of prescriptive, rules-based cybersecurity regulation.
The Davis Polk Cyber Portal, which is now available to our clients, provides detailed checklists and other resources to help companies comply with both their standards-based and rules-based regulatory obligations.
The authors gratefully acknowledge the assistance of summer associates Catherine Martinez and Jonah Stotsky in preparing this entry.