IEEE Future Directions
Cybersecurity Law & Emerging Technologies Part 1
The Federal Trade Commission, Reasonable Security Measures, and IoT
May 2017
Emerging technologies and their development, deployment, and business models accelerate more rapidly than do the important legal frameworks needed to govern those technologies and activities. Cybercriminals likewise run rampant and push the need for meaningful cybersecurity laws forward with urgency. In this Part 1 article, I discuss cybersecurity law as it applies to emerging technologies with a specific focus on the Internet of Things (“IoT”). Cooperative efforts between the technology and legal communities are greatly needed to better inform the development of technically-mindful cyber laws and of the technologies that are reshaping humanity and society.
A good mutual starting point is with the U.S. Federal Trade Commission’s (“FTC’s”) unfairness standard under its principle governing statute, and the flexible requirement for “reasonable security measures” under that standard.
The Federal Trade Commission and Reasonable Security Measures
The FTC Act (“Act”), a civil, rather than criminal, statute, established the FTC and provides this independent agency’s principle, but not only, legal authority [1]. Under the Act, this agency regulates conduct involving the Internet and otherwise as that conduct relates to consumers and competition [2]. Indeed, the FTC is one of the most important United States legal authorities governing cybersecurity, including in the IoT context.
The Act’s Section 5 declares that “unfair or deceptive acts or practices in or affecting commerce” are illegal [3]. Here, we focus on what constitutes the FTC’s unfairness authority, the basis for its legal requirements for cybersecurity. Under Section 5(n), unfair acts or practices have three statutory elements:
- The act or practice results in substantial consumer injury [4];
- The consumer cannot reasonably avoid that injury; and
- The harm caused by that act or practice is not outweighed by countervailing benefits to consumers or to competition [5].
This unfairness standard goes beyond these stated elements, however. As interpreted, it encompasses Congress’ intent to imbue it with ethical and equitable principles and public policy concerns [6][7]. For example, no actual injury or completed harm is required to meet the first element [8]. An unfair act or practice may occur where substantial harm is likely to occur, irrespective of whether it does or did materialize [9]. This public policy extension to include reasonably foreseeable harm enables the law to operate prospectively to prevent consumer harm.
Furthermore, an actor’s unfair act or practice may not be the cause of the consumer injury for that actor to be liable under the Act [10]. For example, the FTC prosecuted several Wyndham companies for unfair acts or practices as to the cybersecurity risks to hotel guests’ personal and payment information [11]. Hackers exploited those risks on three occasions, injuring some 619,000 consumers and resulting in at least US$10.6M in fraudulent charges and the illegal export of hundreds of thousands of consumer records to a domain mapped to Russia [12]. The FTC prosecuted the Wyndham defendants for their “failure to implement reasonable and appropriate security measures [13].” Those failures repeatedly exposed consumers’ information to “unauthorized access, collection, and use” resulting in substantial harm [14]. Here, equitable principles and public policy concerns make it appropriate to hold the Wyndham defendants accountable because, had they implemented reasonable security measures, the harm could have been avoided or significantly mitigated.
Under the FTC’s unfairness authority, IoT and other companies must use “reasonable security measures” to protect consumers’ data [15]. As seen in Wyndham and other FTC enforcements, the failure to use reasonable security measures is an unfair act or practice in or affecting commerce and, thus, illegal. The FTC has held public workshops and invited comments about how cybersecurity and privacy matters should be addressed in IoT contexts [16]. It released an early stage report summarizing the discussions and recommendations, but has not issued any specific rules about IoT cybersecurity [17]. Therefore, reasonable security measures under the unfairness standard continue as the relevant legal requirements under the FTC’s jurisdiction.
The FTC elucidates what constitutes reasonable security measures with its guidance based upon its fifty-plus data security enforcements. In Start with Security, the FTC distills its guidance into ten (10) categories and corresponding subcategories [18]. Although some FTC guidance regarding secure development processes will be familiar [19], drill-downs on the details associated with each guidance are useful.
To facilitate, the FTC identifies its enforcement actions as to a particular guidance and then links detailed documents to further illuminate it. For example, the FTC’s secure development guidance discusses its prosecution of HTC America (“HTC”) [20]. The FTC alleged that HTC failed to implement reasonable security measures where HTC, among other illegal conduct, introduced permission re-delegation vulnerabilities in its customized, pre-installed mobile applications on Android-based phones and thereby undermined the operating system’s more protective security model [21].
As to IoT, the FTC has begun prosecuting failures to implement reasonable security measures [22]. In its latest such case, the FTC filed a complaint against D-Link Corporation and a subsidiary in January 2017 for failures associated with its mobile application-accessible routers and Internet Protocol cameras [23]. The FTC also brought IoT cybersecurity suits against ASUSTeK in February 2016 [24] and TRENDnet in September 2013 [25]. Routers with extendibility to private cloud storage services were at issue in the ASUSTeK case [26]. The TRENDnet litigation involved Internet-connected video cameras [27].
We need not detail each point of FTC guidance here. One subcategory, however, is particularly relevant to IEEE and its constituencies and to the stated goals of this IEEE Future Directions publication: the FTC’s guidance to use “tried-and-true industry-tested and accepted methods for securing data” (“Tried and True Guidance”) [28].
The technology community is constantly innovating the methods by which we treat and secure and treat data. Cybercrime, state-sponsored cyber espionage, and cyber warfare, and “white hat” innovations to respond to and circumvent same, drive innovations around data security with great intensity [29]. Accordingly, the important take-away regarding the FTC’s Tried and True Guidance is that what constitutes “industry-tested and accepted methods” of data security is dynamic and a constantly moving target. This dynamism, coupled with the flexibility of the FTC’s unfairness standard, presents a challenge for the technology community as to what, specifically, is required to ensure that cybersecurity measures are reasonable and, therefore, compliant with the law.
Reasonable Security Measures and Industry-Tested & Accepted Methods as to IoT
To illustrate, IEEE Future Directions recently featured a two-part article in which Chaudhry, et al. detailed security concerns presented as IoT comes online in real and exponentially growing markets [30][31]. The authors point out that what might be otherwise considered industry-accepted methods, i.e., methods as may be acceptable in a non-IoT context under the FTC’s Tried and True Guidance, do not anticipate and allay such forward-looking IoT security concerns. Those methods, now contextually rendered IoT-insufficient, may fail to comply with this component of the FTC’s reasonable security measures requirement. If so, then the use of IoT-insufficient cybersecurity methods in IoT contexts may be illegal as an unfair act or practice and may expose consumers and the companies using those methods to inacceptable risks, including, for example, potential class actions from consumers and shareholders [32]. The occurrence of the Dyn attack on IoT devices in October 2016 suggests that, with the imminently foreseeable risk of substantial consumer harm, the noted IoT security failings violate the Act [33][34].
Call to Collaborate
From a technologist’s perspective, laws and law-making may seem archaic and out of touch with a world where science fiction quickly becomes science fact. There are good democracy-protecting and other reasons for law’s slower pace. Collaborations and other mutual knowledge exchanges between these two realms are vital to informed legal decision-making.
Likely no group is better-positioned than IEEE and its constituencies to collaborate with the FTC, including by providing scientific and technical commentary regarding its Tried and True Guidance and other cybersecurity matters. The FTC provides ample opportunities to provide commentary, receive written responses, and monitor and participate in its cybersecurity activities [35][36]. Through these easily accessible mechanisms, IEEE has important opportunities to collaborate with the FTC [37]. Moreover, IEEE’s scientific and technological insights are essential to the FTC’s informed cybersecurity policy, regulatory, and enforcement actions. By engaging with the FTC, IEEE is sure to make immensely meaningful contributions in the development of relevant cyberlaw and reap the benefits of legally-informed cybersecurity research, development, and business activities. Let the collaborations begin.
References:
1. See FTC Act, Pub. L. No. 63-201, ch. 311, § 5, 38 Stat. 717 (1914) (codified as amended at 15 U.S.C. §§ 41-58 (2012)) [hereinafter “FTC Act”]. Available: http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim.
Bear in mind that the FTC’s enforcement as to unfair acts or practices, including as to failures to implement reasonable security measures, operates within the federal legal system in the United States and across most industry verticals. See, e.g., “How FTC Data Security Aligns with NIST Cybersecurity Framework,” Health IT Security (Elizabeth Snell, ed.) (Sept. 1, 2016). Available: http://healthitsecurity.com/news/how-ftc-data-security-aligns-with-nist-cybersecurity-framework. Other federal laws and authorities also apply to aspects of cybersecurity[i] or within particular subject matter or industry jurisdictions. See, e.g., Office of Device Evaluation, U.S. Food & Drug Administration, Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software (Jan. 14, 2005). Available: https://www.fda.gov/MedicalDevices/ucm077812.htm.
States also have unfair trade practices and other laws that apply to cybersecurity. These state unfair trade practices law often are called “little FTC acts” because they often closely follow the FTC Act. See Christine Lipsey & Dylan Tuggle, “Little FTC Acts and Statutory Treble Damages – Traps for the Unwary,” Bus. Tort J., v. 17, p. 4 (Amer. Bar Assoc. Litigation Section, Fall 2009). Available: https://apps.americanbar.org/litigation/committees/businesstorts/articles/1109_lipsey.html. They can have significant differences, however, that increase legal risk. See id. State enforcement authorities and courts frequently adopt the FTC’s Commission decisions, administrative adjudications, and regulatory and other guidance. See, e.g., Camacho v. Automobile Club of Southern California, 142 Cal. App. 4th 1394, 1402-03 & nn. 10-11 (Cal. App. 2d Dist. 2006) (discussing unfairness standards) (citations omitted). For the readers’ convenience, internal citations are omitted.
2. For a detailed examination of the FTC’s authority and earlier prosecutions of some 100 cases of numerous types of cyberfraud, see Emile Loza, “Internet Fraud: Federal Trade Commission Prosecutions of Online Conduct,” Commun. & the Law, v. 23, pp. 55-98, 2001. Abstract available: http://ssrn.com/abstract=1615855. For the full text, visit http://heinonline.org or contact the author at eloza@technologylawgroup.com.
The FTC also cooperates with criminal law enforcement agencies, such as the U.S. Department of Justice, on cybersecurity and other matters. See, e.g., Donal Power, “Terrorist in the Machine: U.S. DOJ Fears IoT Security Threat,” ReadWrite (Sept. 26, 2016). Available: http://readwrite.com/2016/09/26/terrorist-machine-u-s-justice-dept-sees-iot-security-threat-cl4/.
3. As with many legal expressions, “commerce” is a term of legal art and, as compared to a lay understanding of that word, is more broadly defined in Section 4 of the FTC Act and otherwise as interpreted by administrative agencies and the courts. In addition, deceptive acts or practices under the FTC Act may be viewed as a subset of unfair acts or practices. See FTC v. Int’l Harvester Co., 104 F.T.C. 949, 1060 (1984).
4. Note that the word “consumers” encompasses more market participants broader than just individual purchasers. Businesses are also consumers that are protected by the FTC.
5. FTC Act, supra note 1, § 5(n) (codified as amended at 15 U.S.C. § 45(n)).
6. See, e.g., FTC v. Wyndham Worldwide Corporation, 799 F.3d 236, 243-47 (3d Cir., issued Aug. 24, 2015) [hereinafter “Wyndham Appellate Decision”]. Available: https://www.ftc.gov/system/files/documents/cases/150824wyndhamopinion.pdf.
7. See also MJ Petroni & Jessica Long with Steven Tiell, et al., Data Ethics: Informed Consent and Data in Motion (June 2016) (Accenture & CauseIt research conceptualizing IoT as a “Social Network of Things” and discussing ethics, business sustainability as to consumers’ data literacy and the need for truly informed consent as it relates to and changes in IoT contexts where data in motion predominate). Available: http://www.causeit.org/data-ethics. For transparency, the author serves as general counsel to CauseIt, a technology and humanity futures consultancy.
8. See Wyndham Appellate Decision, supra note 6, at 246.
9. See id.
10. See id. at 246-47.
11. The U.S. Court of Appeals for the Third Circuit affirmed the lower court’s ruling against the Wyndham defendants, which sought to have the FTC’s enforcement action dismissed. See id.
12. See FTC v. Wyndham Worldwide Corporation, Case No. 2:12-CV-01365-PGR, First Amended Complaint, ¶¶ 1-2, 14-19 & 26-40 (D. Ariz., filed Aug., 9, 2012) [hereinafter “Wyndham Complaint”]. Available: https://www.ftc.gov/sites/default/files/documents/cases/2012/08/120809wyndhamcmpt.pdf. The FTC also claimed that the Wyndham defendants engaged in deceptive acts or practices where its posted policy that it followed industry standard cybersecurity practices was blatantly false. See id. at ¶¶ 20-39.
13. Id. at 40.
14. Id.
15. Wyndham Appellate Decision, supra note 6, at 248. Additionally, the FTC’s reasonable security measures requirement maps to the National Institute of Standards and Technology, or NIST, Cybersecurity Framework. See FTC, The NIST Cybersecurity Framework and the FTC (Aug. 2016). Available: https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc. Further, it has been interpreted or at least is the subject of debate as to its co-operation with other relevant laws, such as the Health Insurance Portability and Accountability Act of 1996, or HIPAA. See, e.g., “How FTC Data Security Aligns with NIST Cybersecurity Framework,” Health IT Security (Elizabeth Snell, ed., Sept. 1, 2016). Available: http://healthitsecurity.com/news/how-ftc-data-security-aligns-with-nist-cybersecurity-framework. See also, e.g., “ONC Report Highlights PHI Security Gaps in non-HIPAA Entities,” Health IT Security (Elizabeth Snell, ed., July 19, 2016). Available: http://healthitsecurity.com/news/onc-report-highlights-phi-security-gaps-in-non-hipaa-entities.
16. See Press Release, FTC, FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks (Jan. 27, 2015). Available: https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices.
17. See generally FTC Staff Report, FTC, Internet of Things: Privacy and Security in a Connected World (Jan. 2015). Available: https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
18. See generally FTC, Start with Security: A Guide for Business – Lessons Learned from FTC Cases (June 2015) [hereinafter “Start with Security”]. Available: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business.
19. See id. at pp. 9-10.
20. See id.
21. See, e.g., FTC, In re HTC America Inc., File No. 122-3049, Dkt. No. C-4406, Complaint 2-3, ¶ 9 (filed June 25, 2013).
22. As a matter of additional interest regarding supervisory control and data acquisition (“SCADA”) systems, the U.S. Nuclear Regulatory Commission (“NRC”) is the governing legal authority. See generally NRC, Backgrounder on Cyber Security (Oct. 2016). Available: https://www.nrc.gov/reading-rm/doc-collections/fact-sheets/cyber-security-bg.html. Although no courts have issued decisions to-date for cybersecurity-related SCADA failures, reasonable cybersecurity measures are required, and there have been failures.[i] See Search of all federal & state litigation to-date, Lexis.com (conducted Apr. 27, 2017); Jennifer A. Chandler, “Security in Cyberspace: Combatting Distributed Denial of Service Attacks,” Univ. of Ottawa Law & Tech. J., v. 1, pp. 239-240, 2003. Available: http://uoltj.ca/articles/vol1.1-2/2003-2004.1.1-2.uoltj.Chandler.231-261.pdf. For example, a failure to install a software patch, released some six (6) months earlier, enabled a worm to infiltrate an Ohio nuclear power plant through an insecure route that had been left open around the plant’s firewall. See Chandler, supra. The worm entered the plant’s computer network from the corporate network of the utility company operator of the plant and went on to disable the plant process computer and render the plant’s safety parameter display system inoperable for several hours. Fortunately, the plant was offline at the time, and a redundant system came into operation. See id.
23. See Press Release, FTC, FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras (Jan. 7, 2017). Available: https://www.ftc.gov/news-events/press-releases/2017/01/ftc-charges-d-link-put-consumers-privacy-risk-due-inadequate.
24. See Press Release, FTC, ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk (Feb. 23, 2016). Available: https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put.
25. See Press Release, FTC, Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers’ Privacy (Sept. 4, 2013). Available: https://www.ftc.gov/news-events/press-releases/2013/09/marketer-internet-connected-home-security-video-cameras-settles.
26. See Press Release, supra note 24 (ASUS).
27. See Press Release, supra note 25 (TRENDNet).
28. Start with Security, supra note 18, at p. 6.
29. See Emile Loza de Siles, “Cybersecurity & Cybercrime: Intellectual Property & Innovation,” Landslide, v. 8, no. 2, p. 3 (Amer. Bar Assoc., Section of Intellectual Property Law, Nov.-Dec. 2015). Abstract available: http://www.americanbar.org/publications/landslide/2015-16/november-december/cyber_security_and_cybercrime_intellectual_property_and_innovation.html. For the full text, please contact the author at eloza@technologylawgroup.com.
30. See Junaid Chaudhry, Ahmed Ibrahim & Ali Kashif Bashir, “Internet of Threats and Context Aware Security,” IEEE Future Directions (Rasheed Hussain, ed., Jan. 2017) (Part 1). Available: https://cmte.ieee.org/futuredirections/tech-policy-ethics/january-2017/internet-of-threats-and-context-aware-security-part-one/.
31. See Junaid Chaudhry, Ahmed Ibrahim & Ali Kashif Bashir, “Internet of Threats and Context Aware Security,” IEEE Future Directions (Rasheed Hussain, ed., Mar. 2017) (Part 2). Available: https://cmte.ieee.org/futuredirections/tech-policy-ethics/march-2017/internet-of-threats-and-context-aware-security-part-two/.
32. See, e.g., In re Anthem, Inc. Data Breach Litigation, 2016 U.S. Dist. LEXIS 70594 (N.D. Cal., May 27, 2016); Irwin v. Jimmy John’s Franchise, LLC, 175 F. Supp. 3d 1064 (C.D. Ill., Mar. 29, 2016); Singletery v. Equifax Information Services, LLC., 2011 U.S. Dist. LEXIS 156215 (N.D. Ala., Sept. 22, 2011).
33. See McAfee Labs, Intel Security, Threat Report, pp. 2-3, 6 & 16-34 (Apr. 2017) (discussing Mirai botnet exploit of poorly-secured IoT devices in so-called “Dyn” distributed denial of service attack and security recommendations). Available: https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar-2017.pdf.
34. See Chaudhry, et al., supra note 31, pp. 1-2 (Part 2 discussing Dyn attack).
35. See, e.g., FTC, In re HTC America Inc., File No. 122-3049 (updated July 2, 2013) (providing links to FTC’s proposed consent order; notice entitled, “HTC America Inc.; Analysis of Proposed Consent Order to Aid Public Comment,” as published in 78 Fed. Reg. 13,673-75 (Feb. 28, 2013); and responses to various individuals regarding their respective comments to proposed consent order). Available: https://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter.
36. See also, e.g., FTC, Lorrie Cranor, “Your Research Can Help the FTC Protect Consumers,” Tech@FTC (Jan. 17, 2017) (blog post). Available: https://www.ftc.gov/news-events/blogs/techftc/2017/01/your-research-can-help-ftc-protect-consumers.
37. A search of public comments received by the FTC did not return any findings under the IEEE organizational name or acronym, as of April 25, 2017.
Emile Loza de Siles is founder and chief technology counsel of Technology & Cybersecurity Law Group, PLLC, a trusted law and intelligence firm since 2003 and a minority- and woman-led organization. Her practice emphasizes technology and cybersecurity transactions, investigations, compliance, litigation, corporate counsel, and business-driven legal strategy services. She publishes frequently on blockchain and other law and technology topics. Her representative clients include Cisco, HP, Accenture, and other Fortune 100 and emerging technology innovators. She served with the U.S. Federal Trade Commission (“FTC”) as clerk to Commissioner Sheila Anthony and as a federal Internet fraud investigator with the FTC’s Bureau of Consumer Protection. She also served as attorney advisor with the Office of General Counsel, U.S. Department of Commerce.
Based in Washington, D.C., Ms. Loza de Siles holds a graduate certificate in cybersecurity strategy from Georgetown University and earned her juris doctor from The George Washington University Law School (“GW Law”). She also holds an MBA and a B.S. degree in technology. In 2010, she was Visiting Scholar with GW Law’s International and Comparative Law Program and, in 2010-2011, a Fellow of its Center for Law, Economics, and Finance. Please reach Ms. Loza de Siles at eloza@TechnologyLawGroup.com.
Editor:
Dr. Junaid Chaudhry is an information security and computer networks enthusiast. Currently, Junaid is a key member of the Security Research Institute at Edith Cowan University where along with his team, is working on cutting edge cyber security solutions. He is also leading a startup of perfectionistic bunch of security researchers, digital forensics and information retrieval experts, penetration testers and bug hunters, interdisciplinary research aficionados, software coders, social scientists, medical science researchers that are passionate about making the world a better and more secure place. He has spent more than 5 years in designing, delivering, and researching in institutes at tertiary level, 6 years at research centres, and for the last 5 years he has been working in the information security industry. He worked at University of Amsterdam, Qatar University, Universiti Teknologi Malaysia, Univeristy of Hail, Univeristy of Trento, and University of South Pacific. He has also worked with Al-Jazeera, State of Qatar, Qatar Foundation, FBK, etc as consultant. Dr. Chaudhry has obtained training at teaching excellence from Harvard Business School, Univeristy of Amsterdam, Universiti Teknologi Malaysia, and maintains a certified professional status with Australian Computing Society. Junaid’s research interests are cross disciplinary research, malware analysis, anomalies detection, cyber hunting, and digital forensics. He has published more than 50 papers and have authored 3 international books.