FTC can finally sue Businesses that fail at basic best practices for Cyber security.
-
@Dashrender said:
Yeah more power to just make up any rules they want.
I feel that we need an agency holding companies feet to the fire as it were, but without real, almost specific guidelines, ....
But we know in IT that guidelines are bad. That's how you get insecurity. IT is not a field that can be defined by strict rules. Best practices, understanding the individual situation.... we can't get out of doing IT by having a government agency define what the job is. We wouldn't even have jobs anymore, we'd just check a bunch of boxes and go home at the end of the day letting the government do what it is that we are here to do.
The bottom line is that the government cannot do this AND protect people. It can hold companies accountable for doing their due diligence and due diligence in security is at odds with strict guidelines.
You can't have it both ways. Some guidelines, yes, strict ones, no. This is how PCI fails often causing exposures rather than fixing them (saw that this week.) Or how the FDA ends up running ridiculously insecure operating systems and software.
-
@Dashrender said:
Luckily we haven't seen this be an issue with HIPAA and related audits so far.
The FTC would have to take you to court. So a legal process would have to uphold their findings.
-
Reading through the court ruling, the court in this case actually found and agreed / used "unfair methods of competition in commerce" (bottom of page 12 / top of page 13 of the PDF)
"The Federal Trade Commission Act of 1914 prohibited “unfair methods of competition in commerce.” Pub. L. No. 63-203, § 5, 38 Stat. 717, 719 (codified as amended at 15 U.S.C. § 45(a)). Congress “explicitly considered, and rejected, the notion that it reduce the ambiguity of the phrase ‘unfair methods of competition’ . . . by enumerating the particular practices to which it was intended to apply.” FTC v. Sperry & Hutchinson Co., 405 U.S. 233, 239–40 (1972) (citing S. Rep. No. 63-597, at 13 (1914)); see also S. Rep. No. 63-597, at 13 (“The committee gave careful consideration to the question as to whether it would attempt to define the many and variable unfair practices which prevail in commerce . . . . It concluded that . . . there were too many unfair practices to define, and after writing 20 of them into the law it would be quite possible to invent others.” (emphasis added)). The takeaway is that Congress designed the term as a “flexible concept with evolving content,” FTC v. Bunte Bros., 312 U.S. 349, 353 (1941), and “intentionally left [its] development . . . to the Commission,” Atl. Ref. Co. v. FTC, 381 U.S. 357, 367 (1965).
After several early cases limited “unfair methods of competition” to practices harming competitors and not consumers, see, e.g., FTC v. Raladam Co., 283 U.S. 643 (1931), Congress inserted an additional prohibition in § 45(a) against “unfair or deceptive acts or practices in or affecting commerce,” Wheeler-Lea Act, Pub. L. No. 75-447, § 5, 52 Stat. 111, 111 (1938).
For the next few decades, the FTC interpreted the unfair-practices prong primarily through agency adjudication. But in 1964 it issued a “Statement of Basis and Purpose” for unfair or deceptive advertising and labeling of cigarettes, 29 Fed. Reg. 8324, 8355 (July 2, 1964), which explained that the following three factors governed unfairness determinations:
(1) whether the practice, without necessarily having been previously considered unlawful, offends public policy as it has been established by statutes, the common law, or otherwise—whether, in other words, it is within at least the penumbra of some common-law, statutory or other established concept of unfairness; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes
Case: 14-3514 Document: 003112053032 Page: 13 Date Filed: 08/24/2015
14
substantial injury to consumers (or competitors or other businessmen).So the guidelines are structured to develop and grow as IT grows and develops. So it isn't a stringent "this is how to do it"
-
@scottalanmiller said:
@Dashrender said:
Luckily we haven't seen this be an issue with HIPAA and related audits so far.
The FTC would have to take you to court. So a legal process would have to uphold their findings.
OK well at least there's that protection, for now.
We have the Fire Marshal come through and write things up that were completely fine the year before simply because a coding number of safety has changed, yet the underlying hardware rarely does, and now we have to replace perfectly good hardware. What a waste.
-
@Dashrender said:
OK well at least there's that protection, for now.
Here is the problem with your logic - you have decided that the government is going to do the wrong thing, period. That's fine, but you are running with that is ways that make no sense. When the government does the absolute right thing, you counter with "but they might not always do the right thing."
Um, sure. But you don't need this ruling for that to happen. If the government was going to go crazy and not use the courts, they sure don't need the courts having approved the FTC to sue people, right? So this ruling has literally nothing to do with what you are fearing.
Your fear is that you simply fear the government so you are acting like anything they do is wrong. When it is wrong, well it's wrong. And when it is right, well... it could be wrong later. So what do you want the government to do, just do the wrong thing only?
-
@DustinB3403 said:
So the guidelines are structured to develop and grow as IT grows and develops. So it isn't a stringent "this is how to do it"
Sure sounds like they are on the ball to me.
-
One of the reasons that this ruling is important is that many businesses do things like play fast and loose with customer data because they think that they will never get caught or they weigh the risks and feel that they can take big chances with other people's data because it gives them a competitive advantage.
If you have two companies, A and B, and B spends $4,000,000 a year on securing their customer data and companies A knows that, company A can spend $200,000 securing their customer data and just take the risk. Saving a hard $3,800,000 a year is a guaranteed savings. And it isn't really you at risk, per se, it is customers who trusted you.
So because company B sees it, as does the government, as an ethical necessity of keeping customer data that it be secured it can be seen competing unfairly by breaching ethics or legal responsibilities in order to take profits from company B. Company B cannot really compete while meeting its obligations.
-
Yeah I really think the FTC finally has some ability to enforce best practices.
My only concern is that the FTC could very easily begin using this power to chase down SMB's who even for a lack of trying aren't capable of implementing 'Best practices' at the time of the suit.
By this I mean, the FTC may bring a suit against an SMB who is very well secured, but a new procedure or process is developed that (and think just crazy nonsense here) everyone should immediately implement because if they don't then their just being negligent.
But this solution would cost any business SMB, Enterprise etc upwards of $20,000 (for example, I know its small change relatively speaking)
So now every SMB and Enterprise who can't immediately implement this new best practice is on the block to be sued by the FTC.
Hopefully it won't go that way, as best practices do vary based on business clientele. But who's to say it wont.
-
@scottalanmiller said:
@Dashrender said:
OK well at least there's that protection, for now.
Here is the problem with your logic - you have decided that the government is going to do the wrong thing, period. That's fine, but you are running with that is ways that make no sense. When the government does the absolute right thing, you counter with "but they might not always do the right thing."
Um, sure. But you don't need this ruling for that to happen. If the government was going to go crazy and not use the courts, they sure don't need the courts having approved the FTC to sue people, right? So this ruling has literally nothing to do with what you are fearing.
Your fear is that you simply fear the government so you are acting like anything they do is wrong. When it is wrong, well it's wrong. And when it is right, well... it could be wrong later. So what do you want the government to do, just do the wrong thing only?
lol - you seem aggressively stance taking the last few days Scott - everything OK?
Yeah, In general I disagree with the government getting in the way. Our free market is nearly anything but and because of that it can't be regulated by natural means (people voting with their dollars), instead it's controlled by lobbyist and those with deep pockets.
Do we need some regulation, heck yeah we do. But I will always have that fear, just like you will always fear some guy walking down the street with a side arm holstered (I'm not talking about the crazy walking down with an assault weapon in his arms).
-
@Dashrender said:
Yeah, In general I disagree with the government getting in the way.
I more or less agree, but basic consumer protections seems an odd place to not want to have legal protections. As a consumer, do you not want the government to have the right to prosecute companies that violate capitalism and attempt to put you at risk for their own game?
-
@Dashrender said:
But I will always have that fear, just like you will always fear some guy walking down the street with a side arm holstered.
Yes, but unlike the guy with the gun, we need the government, it is a necessity. Capitalism only functions when there is solid government oversight. I'm not talking nationalism like what they did with banking, that was the poor making the rich richer through a failed attempt at using the government as a weapon for classism and backfiring spectacularly on the people trying to lash out in anger. But basic consumer protections are very important.
For example the UK's Trades Descriptions Act where they said that you can't lie about products. That's important, you need to know that companies are not allowed to tell you you are buying one thing then sell you another and run off with your money. Basic laws are needed to protect capitalism and make it work.
-
@scottalanmiller said:
@Dashrender said:
Yeah, In general I disagree with the government getting in the way.
I more or less agree, but basic consumer protections seems an odd place to not want to have legal protections. As a consumer, do you not want the government to have the right to prosecute companies that violate capitalism and attempt to put you at risk for their own game?
What I want is the ability for the public to be made aware of these breaches and when Company A in your example does finally have a breach that the public at large will move to company B and A will go out of business, but the law is used to basically keep that from happening, though I can't currently site an example.
Of course this desire has a huge flaw in it.. and that's thinking that the general public will either a) care or b) be willing to spend more money on Company B because they protect the consumer better. I think the amount of people who still use Sony PSN are a great example of those who fail on both points.
-
@DustinB3403 said:
My only concern is that the FTC could very easily begin using this power to chase down SMB's who even for a lack of trying aren't capable of implementing 'Best practices' at the time of the suit.
Why is that a bad thing? That sounds like a great thing to me. Companies need to be held accountable. If an SMB can't afford to do what needs to be done, they should not be allowed to be in business.
This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.
I doubt the FTC will take the time to go after SMBs, but I think it would be amazing if they did. We need protection from reckless SMBs more than any other business category, especially as IT pros.
-
@scottalanmiller said:
For example the UK's Trades Descriptions Act where they said that you can't lie about products. That's important, you need to know that companies are not allowed to tell you you are buying one thing then sell you another and run off with your money. Basic laws are needed to protect capitalism and make it work.
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
But again, I'm entrusting to much to human nature and in reality my hopes die a miserable death. lol
-
@Dashrender said:
Sure, but in a Free Market those companies won't last long anyway - sure some people will be burned by the crap company, but soon the word will get out that they claim A and give B... and a competitor will come along and offer A for real and people will go to them.
Actually, free market studies say the opposite. Running fast and loose is often the best way to succeed as long as there is no regulatory system to stop it. Look at Lenovo as a great example. They didn't just put customers at risk by being lazy, they did it intentionally. How quickly did even IT pros forget and/or forgive and keep recommending the product or buying them? How many consumers or businesses even understand the risk that they were put under? Very few.
The free market does not have a long memory. Companies that do things so badly as to actually cause the market to hate them and remember them (can you even think of a company so bad that it falls into this category) can easily just rebrand and do the whole thing again (Cingular renamed themselves AT&T, everyone forgot how awful they were and Windstream changed their name to Windstream because no one would do business with them under the old name, now everyone buys them again and experiences the exact same problems.)
Free markets and consumers simply don't work like this. The best way to make money in a free market is to treat customers poorly in general. Customers are not rational and do not react to bad treatment in the way that you would expect.
-
@Dashrender said:
But again, I'm entrusting to much to human nature and in reality my hopes die a miserable death. lol
You should read Predictably Irrational. It talks, among many other things, about how consumers are easily manipulated by really irrational things and how even when being told that they are being manipulated and how, test groups like Harvard MBA classes are still completely controlled by the manipulation.
-
Not that I feel that companies should not be allowed to manipulate. Marketing is all about manipulation and no one gets manipulated that doesn't allow themselves to be. So I don't feel that people should be protected from it. As long as it isn't deceptive.
-
@scottalanmiller said:
This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.
Pirating software is simply a choice that many people and companies due because they don't value the software, but they should.
I personally agree any company who doesn't follow best practices should be pressured to get up to "standard" if they aren't already (by law suit). What I don't want / hope I guess is that the FTC doesn't begin blindly suing companies of any size because new technology hasn't immediately been implemented. Even if 1 of their competitors has implemented it.
It would seem to be unfair if I worked at company A, and called the FTC on company B who didn't immediately implement the newest security measure for my own gain of possibly putting company B out of business so I have less competition. Even if company B offers a better higher quality product.
Is it fair, yeah, does it seem just, no of course not. I can see many businesses in this scenario being royally boned because of slighted competitors.
-
@scottalanmiller said:
@DustinB3403 said:
My only concern is that the FTC could very easily begin using this power to chase down SMB's who even for a lack of trying aren't capable of implementing 'Best practices' at the time of the suit.
Why is that a bad thing? That sounds like a great thing to me. Companies need to be held accountable. If an SMB can't afford to do what needs to be done, they should not be allowed to be in business.
This is the same logic that many SMBs use for pirating software. They believe that being in business is a right and that other people or companies have to provide for them to ensure that they make a profit. How many companies steal Windows because they "can't afford to pay for it" but won't use Linux because "that's not how they choose to do business?" They are just crooks and there is no excuse for it. They are stealing from Microsoft, from the industry, etc. in order to stay in business. Other businesses have to pay for the tools that they use and have to secure customer data. Not doing so is anti-competitive.
I doubt the FTC will take the time to go after SMBs, but I think it would be amazing if they did. We need protection from reckless SMBs more than any other business category, especially as IT pros.
Yeah, I agree with this. It's funny, if you take those same SMB owners and someone starts to rip off what they are doing they will get all indignant on the thieves, but they can't simply look in the mirror.
Equally I'm frustrated by SMBs who buy a $30K printer and in 8 years are crying that they can't replace it with something new because the XP machine runs it is no longer supported, yet the only way the manufacturer has to manage the device, and the SMB is unable/unwilling to buy new equipment - Why wasn't that considered when it was purchased? Why aren't they accruing for the next purchase at the EOL of that equipment. I suppose they might say, well they life of the machine is until it dies and I can't get replacement parts - etc, etc... I'm not really sure where to go from here...
-
@Dashrender said:
Yeah, I agree with this. It's funny, if you take those same SMB owners and someone starts to rip off what they are doing they will get all indignant on the thieves, but they can't simply look in the mirror.
It's very true. It really does seem that the people most upset about being ripped off are the ones most likely to do it.