EPISODE 5
How the FTC Defines “Reasonable Cybersecurity”

EP 5: How the FTC Defines “Reasonable Cybersecurity”

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 24, 2018

Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about how the FTC has been working since 2010 to define “Reasonable Cybersecurity” standard. We discuss three specific cases from over 60 that are publicly available.

Tags:

Episode Transcript

Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cyber security council at the law firm of Newman Du Wors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors, LLP. If you have questions about your cyber security related legal responsibilities.

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable and order fulfillment, then you should become a member of our cyber risk managed program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You could find out more by visiting us at cyberriskopportunities.com and Newmanlaw.com. Jake, what are we going to talk about today?

Jake Bernstein: Hi Kip. Today we're going to talk about a couple, actually three FTC cases as they relate to cybersecurity. It's important to understand how the FTC operates in this space and what the history of their enforcement has been.

Kip Boyle: Okay. Okay. That's great. So before we get into the details, why don't you remind us, please, what role does the FTC play today with respect to cybersecurity?

Jake Bernstein: Sure. So the Federal Trade Commission, as you know, it's been around for a long time, some 1914, in fact, and they regulate industry broadly in the country. They have an antitrust division and they have a consumer protection division. And the consumer protection division enforces against unfair or deceptive acts or practices. And what the FTC decided is that cybersecurity practices that result in consumer harm are unfair. And that might seem like an interesting definition, but the definition of unfairness under the FTC act is any act or practice that harms consumers that a reasonable consumer could not have avoided, and that is not outweighed by countervailing benefits to the consumer or competition.

Kip Boyle: Oh, okay. That sounds super complicated. So I imagine we're going to break that down. And just to be clear, whose practices are they focused on?

Jake Bernstein: They are focused on everyone's practice in trade or commerce. The FTC can enforce these rules and these laws against anything that "occurs in trade or commerce." There's very little that does not occur in trader commerce. One could potentially argue that certain types of nonprofits do not. Churches would not, for example, but otherwise we're talking essentially the entire economy.

Kip Boyle: Okay. And so clearly the FTC, I know from my experience, the FTC has really paid attention to consumers. What about business to business transactions and trade? Is that also within their purview with respect to cyber security?

Jake Bernstein: It is. And that's because under FTC law businesses can also be consumers.

Kip Boyle: Oh, okay. So we're not just talking about individuals, we're talking about buyers.

Jake Bernstein: Right.

Kip Boyle: Okay. I get it.

Jake Bernstein: Yeah.

Kip Boyle: Okay. All right. So do you want to talk about the cases or do you want to break down that really long description of what the FTC is up to first? Or maybe break it down as we go? How do you want to do it?

Jake Bernstein: I think we'll just simplify the definition, unfairness as far as we care right now, is it hurts consumers and they couldn't have reasonably avoided it.

Kip Boyle: Okay. That's great. I love how you shrunk that down. That's fantastic. Okay. So, you said we want to look at some cases, is that right? Where do you want to start?

Jake Bernstein: Well, I think the place to start has got to be FTC versus Wyndham Worldwide Corporation. This is, to date, the only one of these cybersecurity cases that has gone to a circuit court, in this case, the third circuit court of appeals. And the decision is from August 24th, 2015.

Kip Boyle: Okay. Okay. Hold on. So I got a couple questions about that. So Wyndham, where have I seen Wyndham before? Is this the hotel company?

Jake Bernstein: Wyndham Worldwide Corporation is a hospitality company. Yes. It is the worldwide hotel company. They have timeshares, they have resorts, they have hotels, they have motels. They have everything related to accommodation and hotel.

Kip Boyle: Okay. Okay, great. So now we know what industry we're talking about. And then you said something about a circuit court. Why is that important?

Jake Bernstein: So here's a very short description of the federal courts. Basically you have federal trial court, which is usually called district court. Then if you don't like the decision there, you can appeal to the circuit court of appeals. There are 11 circuits, there may be 12 circuits now. At any rate right above them is the US Supreme court. So, that's as far as you go. So the point here is that the third circuit is, the only place you can go higher than the third circuit is the US Supreme court, and all the circuits are equal. And the reason this is important is that unless another circuit court has occasion to rule differently than this Wyndham case, the US Supreme court will not take a look at it. And even if the US Supreme court did take a look at it, there's no reason to expect that it would overrule the third circuit in this situation. So this is the law.

Kip Boyle: Got it. Okay. Okay. That's great. Thank you for the non-lawyers who may be listening. So tell us about Wyndham.

Jake Bernstein: So Wyndham is a, in some ways it's a really good example of what you do not ever want to do. A lot of the times there's a strategy. And when you're trying to develop the law and it can be summarized as, good facts make good law? The corollary of that, of course, is bad facts make bad law. And that happens a lot too.

Kip Boyle: Okay. So we've got some good facts here?

Jake Bernstein: So here, well, not if you're Wyndham, if you're the FTC, they had phenomenal facts. Basically, if you think of every single bit of cyber hygiene that a reasonable company is going to do, Wyndham didn't do it. They hardly even used, they didn't even have firewalls on some of their locations. And if you think about what Wyndham is, it's a hospitality company. Well, what does a hospitality company have to have? Locations, location, location, location, worldwide, everywhere. Every single one of those locations has to somehow talk to one another. They're going to have a network. And their network was, frankly, God awful. They like I said, they didn't use firewalls. They did not use even basic password management or requirements crosstalk.

Kip Boyle: Okay. And we're talking about their data networks here, right?

Jake Bernstein: We're talking about their data network. Yes. Their network, their data was essentially wide open and it was exploited. In fact, it was exploited not once, not twice, but three times. And on that third time, the FTC said, this is enough. And they said, look, this is not reasonable data security. This violates the unfairness, as we talked about, basically all these consumers were getting hurt, identity theft, credit card fraud, and they really couldn't have done anything about it. They didn't know that Wyndham was so poorly secured. So, they ended up suing. And crosstalk.

Kip Boyle: So, the FTC sued Wyndham?

Jake Bernstein: The FTC sued Wyndham and Wyndham lost in the district court. And, of course, they've appealed. And the questions, there are really two questions that the Wyndham court, the third circuit court of appeals asked, and that was one, can the FTC regulate cybersecurity under the unfairness prong of the FTC act. And then two, did Wyndham have a fair notice that its cybersecurity practices could violate the FTC act? So the first is a substantive question and the second is what we would call a due process question.

Kip Boyle: So the second one almost reminds me, or makes me think about ignorance. Is that what they're getting at? Was Wyndham ignorant of the law, or did they know the law? Is that what that second question is?

Jake Bernstein: Yes. More or less. The argument there was that, hey, we didn't know. And generally speaking, ignorance of the law is no excuse, but this is a situation where they were arguing something a little more sophisticated than that, which is basically, hey, you violated our due process rights because we didn't have fair notice that our practices even possibly could violate the FTC act. And it really ties in with the first, the question crosstalk.

Kip Boyle: Okay. Okay. So Wyndham had some good lawyers, is what you're saying.

Jake Bernstein: Sure.

Kip Boyle: Okay. Now, before we continue, I had another question here, which is, in a way isn't Wyndham a victim? If nobody had ever attacked them, if nobody had ever tried to steal from them, this probably never would've happened, right?

Jake Bernstein: Yes. One could say, on one level, Wyndham is definitely a victim. They were hacked three times. They're a victim in so far as they were hit. But as we've talked about, I believe in other podcasts, there is a reasonable cybersecurity standard. Basically we've decided that you can't just do nothing and hope you don't get attacked, that you have some, as a business owner, maybe even as a person, you have some affirmative duty to defend the data that you collect. And that's a podcast in its own right, the question of whether or not they're a victim and should we be blaming the victim or not? I think for our purposes this time crosstalk.

Kip Boyle: We're just going to set that aside.

Jake Bernstein: We're going to set that aside. Yes, they're a victim, but we're going to say, the question here is, did they violate the law?

Kip Boyle: Okay. Did they have a duty and crosstalk.

Jake Bernstein: They have a duty and did they violate it? And the answer, of course, is yes, absolutely. The circuit court, third circuit agreed with the FTC's analysis. And they said that, yes, in fact, there's nothing that a reasonable consumer could have done to avoid the situation and they suffered harm and that's what's needed for unfairness. And whether you like that or not is beside the point. That's been a law for a very long time.

Kip Boyle: Okay. So when did the Wyndham case get decided, at the circuit court level?

Jake Bernstein: Yeah, it was August 24th, 2015.

Kip Boyle: 2015. And when did the FTC start taking actions against poor cybersecurity practices?

Jake Bernstein: So prior to Wyndham, the FTC had actually already investigated and settled 55, approximately data security cases. They'd been doing it for years. And while they were doing it, their authority really wasn't confirmed by a court. And I don't want to get into some administrative procedure act law about what the FTC is, and there's a process there, but suffice to say that no court, and particularly no circuit court, had ruled on this question before the Wyndham case in 2015.

Kip Boyle: Okay. Okay. So anything else about the Wyndham case before we get to the next one?

Jake Bernstein: Just, I think the point here is that, the Wyndham case is not particularly useful in terms of a, what should I do kind of question? Because like I said, the cybersecurity hygiene and practices were so bad that it's almost, at this point, it's laughable, it's obvious, you're not going to do these things. The reason it's important is just that it's the case that gives the FTC the power to do this, and it's not going anywhere.

Kip Boyle: Okay. Got it. So, if anybody thinks the FTC doesn't have the authority to talk about this, we now know that they do.

Jake Bernstein: Yeah. They're just wrong. Whoever thinks that.

Kip Boyle: Okay. Okay. Okay, great. So now, who else should we talk about?

Jake Bernstein: I'd like to talk about two other cases that are, I think, really good examples. One, it's the FTC's complaint against ASUS Tech Corporation, which as you know, is the Taiwanese based computer hardware manufacturer.

Kip Boyle: Okay. So I get it. I can buy a motherboard for my computer from these guys. Right?

Jake Bernstein: You can buy it, now you can actually buy gaming laptops and full desktop systems. You can buy monitor, in fact, I'm, have an ASUS monitor right in front of me right now.

Kip Boyle: Oh, and that's the nice what? 4K1 that you showed me the other day?

Jake Bernstein: It is, this is a nice 4K1, but they also sell routers.

Kip Boyle: Okay.

Jake Bernstein: And what the ASUS Tech FTC action is about, is their routers. And these routers span from, actually as far back as 2009, I believe they started selling them. But specifically we're looking at actions and events somewhere around between 2012 and 2014.

Kip Boyle: Okay.

Jake Bernstein: And for reference, this complaint was filed July 18th, 2016. So what you're seeing here is you're seeing a product that had been in the marketplace some, as you'll see bad events that happened late 20, most of 2013, and then into 2014. And then the FTC ultimately has investigated and taken action two years later. So that's where we are. And what the case is about is that ASUS had advertised its routers in certain fashion. And one thing to remember about the FTC is their original bread and butter is false advertising basic consumer protection type cases. So they're really up on advertising and representations that are made in advertising.

And so what ASUS did is that they said, hey, we've got these routers and they're super secure. In fact, not only are they very secure, but we also have provided you some additional functionality in these routers, two different products called AiCloud and AiDisk. And these were both advertised heavily as being private secure clouds. And what you could do is you could plug a USB storage device directly into these ASUS routers, and it would basically create a little server for those files so that you could access them from the internet.

Kip Boyle: That seems handy.

Jake Bernstein: Seems handy, right? And had their representations been accurate, it would've even been secure. However, as you can tell from the fact that there even is a case that, that's not what happened. And ultimately what ASUS did was produce products that really had poor built in security. They were obviously not designed with security in mind. The details are technical and somewhat interesting. And I would encourage people who are curious to investigate this case. You can find it online at the FTC's website.

Kip Boyle: Okay. But how did the FTC know this? Because the advertising sounds like it was really, really good. So how does the FTC figure out that it's a lie?

Jake Bernstein: So in this situation there were security researchers who publicly disclosed these issues. In fact, that happened around June 2013.

Kip Boyle: Okay. Okay. Got it.

Jake Bernstein: Yep. In November, of 2013, the security research actually contacted ASUS again, ASUS didn't do anything. And then it was actually not until January 2014, that a number of European media outlets published stories about these security risks. And it was only after these stories that ASUS began to actually start to do things.

Kip Boyle: Okay. So let me recap. So ASUS builds a product. They advertise it as being really, really secure and having great features and functionality. Then these security researcher, so somebody who isn't involved with ASUS, and also somebody who's not in the FTC, this is a third party.

Jake Bernstein: These are third party security researchers. Correct.

Kip Boyle: Okay. All right. So a third party researcher disassembles the ASUS product, discovers that it's, there's a very big gap between what they say it can do for security and what it can actually do. And then they contact ASUS and say, hey, you need to fix this. And then after ASUS says basically nothing, then it breaks in as a news story. And then the FTC gets wind of it. Is that about right?

Jake Bernstein: That's about right. And to finish this little story here, ASUS did take some action after that January 2014 story, they had some firmware updates that they created. The problem is, is that they didn't tell anyone about them. They didn't make a concerted effort to inform their customers that they had these firmware updates.

Kip Boyle: Okay. So they did take some actions, but okay, but they didn't tell anybody. All right, got it.

Jake Bernstein: So one of the reasons is, we'll talk about when I finish this story, is this is a good example of the respond and recovery steps in the NIST cybersecurity framework. And actually I should say failures of the respond and recovery step. So to complete this story real quick. On February 1st, 2014, a group of hackers actually did exploit all these vulnerabilities. And there were thousands and thousands of consumers who were affected. People had put their personal data up online, unknowingly without using these products, and that data was stolen. A lot of people got injured. And only after that did ASUS begin to say, oh, we have a firmware update. And so crosstalk.

Kip Boyle: Okay. So that's the harm that the FTC watches out for.

Jake Bernstein: Yes. Exactly. And it was obviously, from the timeline it was after this, that the FTC takes an interest in this matter and goes and looks at the whole overall process and what happened. And that's when they found about the security researcher contacting ASUS multiple times and ASUS isn't doing anything. So you can see that over the course of these events, ASUS had the opportunity to follow the NIST cybersecurity framework, the response and the recovery stages, and they just didn't do a good job, arguably they didn't do it at all. And if you look at the counts, you can think of counts in the complaint as individual crimes like you might see in a criminal indictment. And in this situation, the FTC came up with five counts and those counts are router security misrepresentations. So, that's about what they said. Security misrepresentation is about AiCloud and AiDisk, that's count two and count three. Count four is a firmware upgrade tool misrepresentation. They basically said you can rely on this upgrade tool to accurately indicate whether or not the firmware update has gone through to your router. Well, it didn't work. Oops.

And then finally, the one that we're most interested in is the unfair security practices as count five. And this is what it says. They say as set forth in paragraphs four through 36. So you think about this complaint, it's actually only a 10 page complaint, but they're talking, so they're looking at maybe eight tenths. 80% of this complaint is about the unfair security practices. And this is what the FTC says. Respondent, ASUS, failed to take reasonable steps to secure the software for its routers, which the respondent, ASUS, offered to consumers for the purpose of protecting their local networks and accessing sensitive personal information. The respondent's actions caused, or likely to cause substantial injury to consumers in the United States. And that last component, that is not outweighed by counter-veiling benefits to consumers or competition.

So, the FTC then said, this practice is an unfair actor practice. And what they're getting at here is that they failed to reasonably secure their routers and their related cloud features. And these are technical issues. If you go into this complaint and you look at what they're talking about, paragraph 30 has, gosh, A, B, C, D, E, F, G, and A has three sub-parts.

Kip Boyle: Yeah. That was one thing I was going to observe, is that when I think of the FTC, I think of government agency, I don't think of them off the bat as a very technically savvy organization, but in this complaint they sure sound like they have some technical chops.

Jake Bernstein: Well, so the FTC, like many of these enforcement agencies, has investigators. And in the past, those investigators might have, a lot of them came from the insurance industry, because what are you looking for? You're looking for fraud. You're looking for misrepresentations. And if you're an insurance industry investigator, you're good at sniffing out lies. So, that's historically where a lot of investigators came from. A lot of investigators are former cops, so they're no longer, they're using the skills they developed while being a police officer to investigate civil issues like this. Nowadays though, who do you think is becoming investigators at the FTC?

Kip Boyle: Well, it must be people who are cyber or very highly technical.

Jake Bernstein: Yes. And that's what you're seeing now. Now as the fraud and the scams have moved online and hacking has become a big issue, you're naturally seeing some of these investigators are coming from the technology industry. So, the FTC has capability to do this. The lawyers don't need to be technically savvy themselves like every lawyer, they will learn the lingo, they will learn the information from their investigators to prosecute these crosstalk.

Kip Boyle: Okay. So 10, 15, 20 years ago, the FTC probably didn't have this capability of understanding the technological dimensions of what some of these companies like ASUS was doing. And so ASUS probably felt like, no, they're going to figure this stuff out. We're really not exposed legally because this is so complicated that, and investigators really aren't going to understand what's going on here, but if they ever thought like that, I guess what we're learning is stop thinking like that, because it's not true.

Jake Bernstein: It's not true. And it's hard because 10 to 15 years ago, there was a question of whether or not anyone would've thought about these issues. Network security at that time period was, as you are well aware, the purview of militaries and certain types of industries.

Kip Boyle: Defense industry, pharmaceuticals. I remember working at that time with global top 50 organizations, they were definitely into it, but almost nobody else was.

Jake Bernstein: Exactly. And the threat wasn't readily noticeable to everyone at that time. And frankly, the technology of the day, it wasn't as widespread. There wasn't as much to get. Obviously all that's different now. So, whatever the past, this is the reality now. And I can promise you that the FTC is only going to get more and more sophisticated. And in fact, let's talk about the last case I wanted to talk about today to really further drive home this point. And that is the FTC's August 13th, 2014 complaint against Fandango.

Kip Boyle: Is that the place that you can buy movie tickets from?

Jake Bernstein: Yeah. Fandango is the website that is fandango.com. For a while they had the funny puppets and it was the movie ticket website.

Kip Boyle: Yeah. That's when it first learned about them. Okay. So these really great, like lunch sack puppets. Yeah. That's right. Okay.

Jake Bernstein: That's right. Yeah. And so what happened here is that if you recall back in 2009, Apple, the iPhone, I believe the iPhone 3GS had just come out in 2009.

Kip Boyle: Sounds about right.

Jake Bernstein: And that was around the time that Apple released the App Store to everybody. Maybe people don't remember, but when iPhone first came out, there was no App Store. You couldn't buy apps. There were only what Apple gave you.

Kip Boyle: How primitive.

Jake Bernstein: I know, how primitive, but Fandango was one of the first to offer an application, a mobile app to buy your movie tickets. And that's what they did. They put out their Fandango iOS app and people indeed could use it to buy their tickets from their phone.

Kip Boyle: Yeah. Super convenient. Right?

Jake Bernstein: Super convenient. Very much so. And unfortunately, what Fandango failed to do was abide by, and in this case, actually the application development interfaces defaults.

Kip Boyle: That sounds really technical. What does that mean?

Jake Bernstein: So, we're going to talk about APIs and SSL, but what this means is that, it is technical, but what the FTC is doing, and they're digging into the technical component of it. From a layperson's viewpoint, the Fandango app used a process that was insecure and it was known to be insecure. And it was so known to be insecure that actually, if they hadn't messed with it, it would've been fine. And so to dig into that a little bit, SSL stands for secure sockets layer. It's a protocol that is used to establish authentic encrypted communications and connections across the internet. In order to make that work, you have to have electronic documents that are called SSL certificates. And basically you can think of this as a handshake online.

Kip Boyle: Okay. So my computer wants to talk to the Fandango server, in this case, the app on my iPhone wants to talk to the Fandango server, and because that goes over the internet, we want to make sure that, that conversation can't be monitored by anybody else.

Jake Bernstein: And the only reason we care is that we're going to be sending payment information. Maybe someone cares about their privacy about which movie they're going to see on a given date. But the reason that we really care is that in order go see that movie, they have to buy a ticket, in order to buy the ticket, they're going to transmit their credit card data.

Kip Boyle: Right. And as a consumer, I don't want my credit card information to be compromised because that's going to cause a lot of inconvenience for me.

Jake Bernstein: Exactly. If credit card numbers were sent in plain text with all the data you needed, then you just really couldn't use a credit card online. Your credit card number would be stolen. Everyone knows it's a pain. Even now it's a pain to have to get a new credit card issue. Even if you're not financially liable, it's a pain. And keep this in mind too, just because you are the consumer, not financially liable doesn't mean that someone isn't somewhere. I think as consumers, we have this misconception that it's no big deal, credit card number theft, but people are paying and there is damage being caused to our economy when money is stolen via credit card number.

Kip Boyle: Okay. So it's a big deal.

Jake Bernstein: It's a big deal. So you don't want to have your credit card number go across the internet unencrypted.

Kip Boyle: Okay. So Fandango was supposed to be sending which movie I wanted, my credit card information securely over the internet, but what really happened?

Jake Bernstein: So what really happened was, and I was going to continue that, the way it works would be that your iPhone says, here's my SSL certificate. And Fandango service says, okay, here's my SSL certificate. And they do some encryption cryptography stuff. And that's how they can authenticate to each other. And what Fandango did is they used an SSL certificate that was not the default for the iOS. And it turned out that it didn't work. So rather than throw up an error message and say, your connection's not secure. We're just not going to send this data. The Fandango app was like, you know what? Close enough. Here's your credit card data anyway. And they sent that credit card data in the clear, which means in plain text over the internet. And get this, this happened from March 2009, right around the time the iOS App Store came into existence, until March 2013.

Kip Boyle: That's four years.

Jake Bernstein: That's four years where the Fandango movies application for iOS failed to validate SSL certificates, and they overrode the defaults provided by the iOS APIs.

Kip Boyle: Okay. Okay. So if they had just used the defaults, they would've been fine, but for whatever reason, they decided we know how to do this better than Apple. So, we're going to do it our way. And for four years they got it wrong. Is that about it?

Jake Bernstein: That's about it. And really when the FTC dug in, here's what they tagged them for, three different components. One overriding the default SSL certificate without implementing other security measures to compensate for the lack of SSL certificate validation, and then failing to appropriately test audit, assess, or review its application, including failing to ensure that the transmission of this data was secure. And then finally they failed to maintain any kind of process for receiving or addressing security reports from third parties. So, they really just completely screwed the pooch on this one. And crosstalk.

Kip Boyle: And the FTC found out.

Jake Bernstein: And the FTC found out, they investigated this. And Fandango rolled over. So unlike Wyndham, there was no lawsuit here. This was purely an administrative procedure, the complaint and the, what's called the consent decree, which is the settlement. They were filed more or less at the same time, which tends to indicate that the company agreed to a settlement immediately.

Kip Boyle: Okay. So I had a question for you. So as a user of the Fandango app, I had no idea. There's no way for me to know that my information's going over the internet without any kind of protection. How did the FTC figure that out, or was there a third party researcher again?

Jake Bernstein: So, it's unclear to me exactly what triggered the FTC's investigation. They don't always tell people how they find cases. Certainly, my background, I was a assistant attorney general and I brought cases like this, using what we call the baby FTC act in Washington State, the consumer protection act. So it's actually the same work. I wouldn't tell people how I necessarily found a case.

Kip Boyle: Ah, okay.

Jake Bernstein: The point ultimately was that I did find it and then you had to worry about it.

Kip Boyle: So does the FTC actually look at, like that app? Did they actually take it apart, do you think? Or crosstalk.

Jake Bernstein: So, here's what I expect happened. I tend to doubt that the FTC's out there auditing iOS apps.

Kip Boyle: Okay.

Jake Bernstein: That would be an impossible task. Simply not doable. Apple doesn't even do that, to the extent that it would be necessary to have caught this. So, what must have happened is that someone discovered this vulnerability and reported it. And after that report, the FTC then is like, that seems interesting. And then they investigated it. And the reason that this is important is that once they found out about it, they dug in themselves. So this is something that's important to understand is that, it's a little bit like the police, they still have to investigate the crime in accordance with their procedures and their rules. FTC isn't going to write a complaint based off someone's word. They're going to go and they're going to do their own work. So they did their own work. And this complaint is the result of that.

Kip Boyle: Okay. Okay. So again, what we're seeing here is the FTC is not afraid to get their digital hands dirty, so to speak. Just like with ASUS where they actually got in and understood the technical aspects of it, sounds like they did that again here.

Jake Bernstein: They did. And what's really interesting about this case is that unlike ASUS, there was actually, to my knowledge, no particular evidence that consumers were harmed with the Fandango thing. So one of the things to keep in mind is that the FTC has authority to stop practices that have the potential to cause harm.

Kip Boyle: Oh, okay. Okay. Okay, great. So it's practices that we're focused on not actual damage, is that about right?

Jake Bernstein: Right. So the standard is actions that cause, or are likely to cause substantial injury to consumers. So this is a situation where the FTC said, look, this practice, basically you were lucky. If people didn't get... First of all, we don't necessarily know that people didn't get hurt. If this information was going across the internet unencrypted for four years, I'm not sure how you would actually know for certain, there's lots of different ways to find credit cards. It's quite possible. It's quite probable even that someone was injured from this, but the FTC doesn't have to prove that, it can do its job just by showing that this is likely to cause substantial injury.

Kip Boyle: Okay. Okay. Got it.

Jake Bernstein: And so that's an important thing to understand, because I think a lot of companies might feel like, well, no one got hurt, so what's the big deal?

Kip Boyle: Yeah. Right. It's a victimless crime, or it's a failure. Yeah. But yeah, it didn't actually result in anybody getting hurt on. Okay. I see that. Okay.

Jake Bernstein: And actually your phrase right there is I think worth looking at, victimless crime is a phrase that you hear uttered when people are, they disagree with the policy behind certain criminal laws. Oftentimes people will say that, marijuana usage is a victimless crime. And again, that's a separate podcast on it with a different sponsor, whether or not there's anything as a victimless crime. The point though here is that, this is an affirmative regulation in a sense. And it doesn't matter, you can take issue with the policy behind it, but the fact that it's victimless it just doesn't matter to me.

Kip Boyle: Okay. So, for cyber risk managers out there, who are listening, that's really the point, which is, don't think that because nobody shows up at your office wrapped in bandages showing you that they've been hurt. That doesn't mean that the FTC isn't going to come after you, if they believe that you are engaged in unreasonable cybersecurity practices.

Jake Bernstein: Exactly. And here's how I look at it as a litigator and a former enforcer, bleeding bodies, as we say, they can be good evidence, they're very persuasive evidence. But you don't have to have a bleeding body to bring these cases.

Kip Boyle: Okay. Okay. Got it. All right. Well, so we're just about out of time. Any last words on this topic?

Jake Bernstein: No, I think we've covered it pretty well.

Kip Boyle: Okay. Thanks Jake. Today, we've been talking with Jake Bernstein, an attorney at the law firm, Newman Du Wors here in Seattle. Thanks everybody for joining us today on the Cyber Risk Management podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our cyber risk managed program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and Newmanlaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.