FTC, SEC struggle to fill gaps in federal cybersecurity rules


When it comes to cybersecurity enforcement, I don't usually think of the Federal Trade Commission (FTC) or the Securities and Exchange Commission (SEC). But it seems they are becoming much more involved in cybersecurity enforcement, even if their mandates in this area are not clear.

One problem is that there is no comprehensive federal law addressing cybersecurity issues across industries. There are industry-specific data security regulations for the health-care and financial services sectors, for example.

So the FTC and SEC have been stepping in to go after companies in other sectors for lax cybersecurity. Just this week, the FTC reached a settlement agreement with Taiwan computer maker AsusTeK for allegedly making insecure home routers and offering cloud services that put consumers' privacy at risk.

The FTC charged that there were critical security flaws in Asus routers and that the routers' insecure "cloud" services led to the compromise of thousands of consumers' connected storage devices, exposing their sensitive personal information on the Internet.

As part of the settlement, Asus agreed to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

This comes after other moves by the FTC to crack down on firms, such as the hotel chain Wyndham, that have poor data security practices and procedures.

As for the SEC, back in 2011 the agency issued a "staff guidance" advising companies to disclose information about cybersecurity risks and cyber incidents in their SEC filings. The guidance was advisory in nature, not compulsory.

However, the SEC has taken some cybersecurity enforcement actions as detailed last week by Stephanie Avakian, deputy director for the enforcement division, at the annual SEC Speaks event sponsored by the Practicing Law Institute.

As reported by Law360, Avakian said that the SEC has acted against companies that have failed to adopt clear data security policies and procedures as well as hackers who have gained access to confidential information to conduct insider trading. Avakian stressed that so far the SEC hasn't gone after companies for failing to disclose data breaches.

CyberVista CEO Amjed Saffarini believes that this could change soon. CyberVista provides cybersecurity awareness training and consulting for board members and C-level executives at companies.

"Whether the pressure is coming from government, in the case of the SEC or FTC, or from private shareholders groups, it's certainly indicating where the puck is going and where the SEC might come down on this … They are clear on the direction they want to take when it comes to cybersecurity disclosures," Saffarini told me in a recent interview.

CyberVista just released a survey it conducted with Zogby of 300 board members and C-suite executives that found gaps in their cybersecurity awareness. According to the survey, 35 percent of respondents either did not know or were not sure what legally constitutes a data breach in their state, and 9 percent of executives report that they were never briefed on cybersecurity matters.  

"We think it is exactly right [for agencies and shareholders groups] to be pushing for greater awareness of what is one of the biggest risks a company can have," said Saffarini.

The FTC and SEC are stretching their decades-old mandates to cover holes in current federal cybersecurity law. A better approach would be for Congress to pass comprehensive cybersecurity legislation detailing clear cybersecurity responsibilities for companies and clear regulatory authorities for federal agencies.--Fred, @FierceFred1