Save up to $400 on InfoSec Training at SANS Baltimore Fall 2018. Ends Tomorrow!

SANS Security Trend Line

We Don't Need More Cybersecurity Regulations, We Need More Federal Trade Commissions Enforcing Existing Regulations

Since 2002, the US Federal Trade Commission has punished 48 US companies for violating their published privacy policies and exposing consumer personal data. That list includes big names like CVS, Eli Lilly, Microsoft and Twitter, as well as smaller companies such as Dave and Busters, Franklin Budget Car Sales and something called RockYou.

In all that time, I haven't seen a bit of lobbying by the FTC for new laws or regulations - they have been enforcing their existing charter as the consumer world evolved:

FTC Mission

To prevent business practices that are anti-competitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.

Recently, the FTC has received the ultimate compliment: business lobbying groups are trying to attack the FTC's authority to go after companies that allow consumer information to be exposed - Network World article here.

Back in the early 1990's, I had a CTO-like role at a large government contractor business unit, where I controlled all research and development, business development and capital investment budgets, as well as reviewed all proposals and program technical outputs. I knew I was doing the right thing when all the departments got together to complain to my boss that I was being unfair to all of them...

In the current case, back in 2008 Tiversa discovered a LabMD spreadsheet on peer to peer network Limewire, and the document included personal information on 9,000 consumers. Turns out a manager at LabMD had installed Limewire on his PC to steal music and LabMD had no process or controls in place to detect that kind of thing, or to notice if sensitive information went flying out the door.

In fighting the FTC, action the CEO of LabMD Mike Daugherty seems to be taking a "ignorance should be bliss" approach: "The incident happened in 2008, "when no one understood the vulnerability of P-to-P," Daugherty said."

Which, of course, is nonsense - the Network World piece points out: "However, researchers first raised concerns about inadvertent file sharing on P-to-P networks back in 2002, and a congressional committee explored the issue in a 2003 hearing." If the LabMD CISO didn't know about the risks of BitTorrent, LimeWire, FrostWire, etc by 2008 he or she was living in some strange happy fantasy land.

Another interesting argument being used in LabMD's fight against the FTC is a version of the "don't go after murderers, go after the gun companies" argument, put forth by Tom Sydnor, a fellow at something called the Association for Competitive Technology: "Instead of filing a complaint against LabMD, the agency should have long ago targeted P-to-P vendors for "tricking" users into sharing files they wanted to keep private, Sydnor said."

Well, I apologize for filling your Monday morning with the tortured logic of lawyers and fellows, but I like to take every opportunity to highlight the nice work being quietly done by the FTC in using its existing charter to fight for its customers.

For you Critical Security Controls fans, the relevant ones:

Post a Comment


* Indicates a required field.