(March 24, 2000)

I. A Continuum of Security Options

1. Sliding Scale Security Standards - Require commercial websites that collect personal information to adhere to a sliding scale of security standards and managerial procedures in protecting individuals' personal data. This scale could specify the categories of personal data that must be protected at particular levels of security and could specify security based upon the known risks of various information systems. In the alternative or as part of the standard, there could be minimum security standards for particular types of data. The sliding scale could be developed by the FTC or another government agency and incorporate a process for receiving input from the affected businesses, the public, and other interested parties.

2. "Appropriate Under the Circumstances"/"Standard of Care" - Require all commercial Websites holding personal information to adopt security procedures (including managerial procedures) that are "appropriate under the circumstances." "Appropriateness" would be defined through reliance on a case-by-case adjudication to provide context-specific determinations. This standard would operate in a manner similar to that governing medical malpractice for physicians: as the state of the art evolves and changes, so does the appropriate standard of care. An administrative law judge of the FTC or another agency or a court of competent jurisdiction could adjudicate the initial challenge.

3. Rely on Industry Specific Security Standards - All commercial websites that collect personal information could be required to adhere to security standards adopted by a particular industry or class of website. There are three quite different options for how the standards are developed:

a. The standards could be developed by a government-authorized third party through a process that encourages public participation (notice and comment) and may include governmental review.

 

b. The standards could be established by any third-party but the FTC could require that the standards address specific topics (e.g. access, data integrity, notice, authentication, etc.).

 

c. The standards could be developed by any third-party as long as the identity of the standard-setting organization is revealed to consumers (this is in effect a security "seal" program).

4. Maintain a Security Program - Require all commercial Websites that collect personal information to develop and maintain (but not necessarily post) a security program for protecting customers' personal data. This option could take one of two forms:

a. The contents and methodology of the security plan could be specified, and businesses could be required to post a brief notice indicating their compliance. Under this option, the security program would be viewed as a continuous life cycle evolving to meet the needs of the organization. The cycle would begin with an assessment of risk; the establishment, implementation of a security architecture, and management of policies and procedures based on that risk; training; audit and continuous monitoring; and periodic reassessment of risk. Each of these essential elements can be designed to meet the unique requirements of organizations regardless of size.

 

b. Alternatively, the requirement could be limited to a simple mandate that the website adopt a security strategy without specifying the details to be included in the strategy or requiring that the strategy be posted.

5. Rely on Existing Remedies - Before requiring any particular security steps, wait to see whether existing negligence law, state attorneys general, and the pressure of the market induce Websites that collect personal information to generate their own security standards. It is worth noting that the insurance industry has started to insure risks associated with Internet security. The emergence of network security insurance may force companies to seriously address security issues, as the presence or absence of adequate security will be taken account in the underwriting process utilized to determine rates for premium.

II. Consumer Notice and Education

Certain options were considered but viewed as inappropriate by themselves. Because these options may nonetheless have value in combination with other options, they are discussed in this section.

1. Post a Security Notice - A security notice is only useful if it allows consumers to compare security among sites in an understandable way. Since it is difficult to convey any useful information in a short statement dealing with such a complex subject as the nuts and bolts of online security, most such notices would be confusing and convey little to the average consumer. While notice statements could be useful in conjunction with one of the other options (alerting consumers to the presence of a security plan, compliance with a seal program, or a regularly updated security audit), they are ineffective standing alone. There is not necessarily any meaningful correlation between the presence or absence of a security notice statement and the true quality of a website's actual security.

2. Consumer Education - Sponsor education campaigns to alert consumers to security issues, including how to assess the security of a commercial site and what steps to take to protect their own security. This option could be implemented by itself, but we concluded that it is better combined with other options. Regardless of what security solutions the FTC decides to recommend, it would be extremely valuable for the FTC or particular industry associations to sponsor consumer education campaigns aimed at educating Internet users as to what to look for in evaluating a website's security. In addition, no system is secure against the negligence of users, so consumers must be educated to take steps on their own to protect the security of their personal data.

III. Enforcement Options

1. Government Enforcement Program - The FTC or another agency could enforce compliance with standards using its current enforcement power or using newly expanded authority. The enforcement could establish civil or criminal fines, or both and other equitable remedies.

2. Create Express Private Cause of Action - Congress could establish a private right of action enabling consumers to recoup damages (actual, statutory, or liquidated) when a company fails to abide by the security standard established through one of the options set out in Section I. In the alternative, Congress could establish a private right of action enabling consumers to recoup damages where they suffer harm due to an entity's failure to abide by the security standard established through one of the options set out in Section I. The creation of private rights of action would help create strong incentives for entities to adopt and implement reasonable security practices and ensure compensation for individuals harmed as a result of inadequate security of data. Important issues would need to be addressed in such legislation, including the availability of compensatory, liquidated, or punitive damages, the elements of any such cause of action, and specific parties covered by the statute. However, on its own it is unclear whether private rights of action are the most effective method of policing privacy. Individuals who have suffered an invasion of their privacy may be reluctant to use litigation, a very public process. Absent a requirement that businesses notify affected individuals when a violation of security standards has occurred, it is difficult for individuals to identify when a business fails to meet their obligations; therefore, under enforcement is a distinct possibility if this is the only enforcement option.

3. Third-Party Audit or Other Assurance Requirements - Rely on independent auditors to ensure compliance with standards. This structure could require security standards to be verified by an external body and could require public disclosure of the findings.

4. Rely on Existing Enforcement Options - Many of the options include the publication of the website's security procedures or its adherence to particular standards. Such postings are subject to traditional FTC enforcement if the statements are false. It is also of course possible for consumers to bring their own actions for fraud, false statements, or underlying negligence in the handling of the data.

IV. Additional Policy Issues/Options

1. Big vs. Small Business Concerns - We considered the relative impact of many of these options on smaller, start-up companies or newcomers to the online environment. We were reluctant to recommend a special treatment for such Websites, in part because any risk assessment automatically takes into account the size of the company (or, more appropriately, the size of a website's potential exposure to security breaches). In many cases (but not all) a smaller Website or less well-established company will have fewer customers, less data to secure, and less need for heavy security. A smaller site may also have an easier time monitoring its exposure manually and informally. The cost may also generally be lower to secure less data.

2. Competition Law Approvals - Several of the above options depend on or would be advanced by inter-industry cooperation and consultation on appropriate and feasible security standards. When industry agrees on standards with real bite, however, the industry members who feel that bite tend to call their antitrust lawyers. It is vital that the FTC or the Department of Justice make assurances to industry members that cooperation in the development or enforcement of security standards and procedures will not result in antitrust liability.

3. Internal Security - Most of the publicly expressed concerns about the security of personal data have to do with outside "hackers" who clearly lack authority to review personal data - or anything else behind the commercial site's firewall. But many threats to computer security come from insiders. So presumably good security means internal managerial and technical processes and policies to deal with the insider threat. Regulation of inside threats, however, is an extremely ticklish undertaking. Whether an employee is authorized to see certain data will depend on many circumstances that often cannot be reduced to rules. When addressing these insider threats, the FTC should either avoid regulating inside conduct at all or else ensure that any regulations are flexible enough to deal only with actual threats rather than innocent (albeit not formally "authorized") access to data.

4. Integrity - Some concepts of security - and some legal definitions - call for "integrity" of data. Data is typically defined as having integrity if it has not been "corrupted either maliciously or accidentally" Computer Security Basics (O'Reilly & Associates, Inc., 1991) or has not been "subject to unauthorized or unexpected changes" Issue Update on Information Security and Privacy in Network Environments (Office of Technology Assessment, 1995, US GPO). These definitions, issued in the context of computer security rather than legal enforcement, pose special problems when translated into a legal mandate. If integrity is read narrowly, as a legal matter it would focus on whether a website has some form of protection against malicious corruption of its data. If the definition is read broadly, it could lead to liability for data entry errors or other accidental distortions to the private personal information it maintains. For this reason, integrity as a legal standard needs to be defined with great care. There would be little controversy over an integrity requirement that was narrowly focused on preventing deliberate corruption of data by hackers or others. It would be a far more controversial step to read the requirement for integrity as imposing liability on all websites that contain recordkeeping errors or sloppy database practices.

5. Additional Measures - There are other ways in which government could improve the security of personal data without imposing regulatory solutions. Some would argue that, before the government criticizes the private sector, it should demonstrate its own capability in the area of privacy protection., Government could establish standards for its own use with the hope that those standards will be adopted in the private sector, it could also establish audits or prizes to police and reward individual agencies and to show industry how best practices can be implemented.

Draft Pros and Cons

I. Continuum of Security Options

1. Sliding Scale Security Standards - Require commercial Websites that collect personal information to adhere to a sliding scale of security standards and managerial procedures in protecting individuals' personal data. This scale could specify the categories of personal data that must be protected at particular levels of security and could specify security based upon the known risks of various information systems. In the alternative or as part of the standard, there could be minimum security standards for particular types of data. The sliding scale could be developed by the FTC or another government agency and incorporate a process for receiving input from the affected businesses, the public, and other interested parties.

Proponents would argue:

1) A sliding scale allows for the matching of consumer protection risk to data source, thereby allowing companies to develop a more efficient compliance and technology infrastructure.

 

2) A sliding scale provides commercial flexibility in the way Websites comply with security standards.

 

3) A sliding scale can be created to protect individual consumer preferences with respect to privacy and security.

Opponents would argue:

1) This option will embroil the FTC in trying first to gauge the sensitivity of numerous, different types of data and then to match the sensitivity with particular security measures. It is an impossible task, and the results will be a mess.

 

2) If the sliding scale is produced at a high level of generality, it will be unenforceable and probably incomprehensible; if it is made specific enough to enforce, it will be a straitjacket for many businesses and a series of loopholes for others.

 

3) Even if it could be prepared properly the first time, a sliding scale would have to be updated almost constantly, a task for which government is ill-suited.

2. "Appropriate Under the Circumstances"/"Standard of Care" - Require all commercial Websites holding personal information to adopt security procedures (including managerial procedures) that are "appropriate under the circumstances." "Appropriateness" would be defined through reliance on a case-by-case adjudication to provide context-specific determinations. This standard would operate in a manner similar to that governing medical malpractice for physicians: as the state of the art evolves and changes, so does the appropriate standard of care. An administrative law judge of the FTC or another agency or a court of competent jurisdiction could adjudicate the initial challenge.

Proponents would argue:

1) This approach allows for an assessment of security tied directly to considerations of circumstance and knowledge. It is impossible to summarize in any detail the balance that must be struck between security and usability; even for the most sensitive data, such as medical information, it may be necessary to lower security standards in order to assure prompt treatment for the injured.

 

2) The creation of a general standard that is informed by the security practices of others similarly situated at a certain date and time allows for flexibility and growth while encouraging ongoing progress. A similar approach is found in judging medical treatment: doctors are not regulated by an elaborate rulebook but rather by the requirement that they practice medicine in accordance with accepted professional standards. The law leaves definition of those standards to the particular case.

 

3) This approach is designed to encourage increasingly strong security practices. If a bright line rule is adopted, there is little doubt that the pace of technical change will leave the adequacy of regulation in the dust, and what was intended to be a regulatory floor will become a ceiling in practice. Rising tides do raise all boats, except those that are anchored to the bottom.

Opponents would argue:

1) While everyone realizes the challenges of providing sufficient security in different situations during a period of rapid technological change, responsible businesses should attempt to prevent unauthorized access or modification to personal data before it happens and not after the fact. In the absence of clear minimum security standards, courts and companies will lack guidance, because there are no universally accepted security standards.

 

2) For consumers, the absence of any clear definition of what is sufficient security may put their personal information at risk from companies who do not share the same risk assessment about what is "appropriate under the circumstances."

 

3) For commercial websites, there are also disadvantages to this approach; their security precautions will not be judged until after a breach has occurred, which means that the precautions are more likely to be viewed as inadequate in hindsight.

 

4) An after-the-fact security standard could lead many websites to ignore security until they are sued.

3. Rely on Industry Specific Security Standards - All commercial Websites that collect personal information could be required to adhere to security standards adopted by a particular industry or class of Website. There are three quite different options for how the standards are developed:

a. The standards could be developed by a government-authorized third party through a process that encourages public participation (notice and comment) and may include governmental review.

 

b. The standards could be established by any third-party but the FTC could require that the standards address specific topics (e.g. access, data integrity, notice, authentication, etc.).

 

c. The standards could be developed by any third-party as long as the identity of the standard-setting organization is revealed to consumers (this is in effect a security "seal" program).

Proponents would argue:

1) No government agency is smart enough or fast-moving enough to set network security standards for a particular industry. Industry-specific standards should be set by industry because each sector has different computer security needs and methodologies.

 

2) Industry groups will have a strong incentive to avoid setting too low a bar. Every company with a brand name is held accountable for the products sold under that name. So too with security standards-setting organizations; those that are associated with serious security breaches will lose the confidence of the public.

 

3) The three options presented under this heading are quite different, and c. is significantly better than the others. It associates a security standard with a "brand name" so that consumers can decide whether security at the site is sufficient. Option b. simply adds a requirement that the standards address certain issues. In most cases this will be unnecessary and in other cases insufficient. Option a. requires that the government license standard-setting organizations; it also requires notice and comment and perhaps government review for such standards. This option is nearly indistinguishable from requiring government-written standards and will require that the FTC or some other body make hundreds if not thousands of individualized decisions about what security practices should be required in which industries, decisions that will have to be remade every three months as security standards and challenges evolve.

Opponents would argue:

1) Allowing industry to develop (and police) itself invites lax standards and under-enforcement. Self-regulatory organizations that are comprised solely of the industry at issue will not develop robust standards because doing so may subject its members to additional implementation costs and expose them to greater liability.

 

2) The insular nature of the standard setting process does not adequately assess and address the needs and values of other parties - other industries, the public, policy makers. In the absence of other stakeholders industry will fail to address important concerns or craft proposals that undercut other important public policies.

 

3) The standard setting process lacks public accountability. It is inappropriate to develop substantive policy through entities and processes that lack institutional mechanisms for ensuring public accountability and oversight.

 

4) Opponents will find that options a-c do not address their general concerns with industry-generated standards. However, opponents may find that proposal "a" partially responds to criticisms 1 and 2 because it constructs a process for soliciting public and policy maker input and review and to a limited extent addresses concerns about industry capture, and stakeholder participation. However, because it does not permit other stake holders to participate in the formulation of the standards it is unlikely to fully ameliorate these concerns. In addition, the fact that the item to be protected, personal information, is likely to be considered less valuable by the business than individuals, the concern about lack of representation is heightened. Opponents may find that proposal "b" while weaker than "a" provides some restraint on the standard-setting process by allowing outside interests to decide what issues must be addressed. Option "c" will garner the greatest opposition from opponents as it fails to address any of the concerns outlined above.

4. Maintain a Security Program - Require all commercial Websites that collect personal information to develop and maintain (but not necessarily post) a security program for protecting customers' personal data. This option could take one of two forms:

a. The contents and methodology of the security plan could be specified, and businesses could be required to post a brief notice indicating their compliance. Under this option, the security program would be viewed as a continuous life cycle evolving to meet the needs of the organization. The cycle would begin with an assessment of risk; the establishment, implementation of a security architecture, and management of policies and procedures based on that risk; training; audit and continuous monitoring; and periodic reassessment of risk. Each of these essential elements can be designed to meet the unique requirements of organizations regardless of size.

 

b. The requirement could be limited to a simple mandate that the website adopt a security strategy without specifying the details or requiring that it be posted.

Proponents would argue:

1) A security plan is necessary for a commercial website of any size that collects personally identifiable information and wishes to keep the information confidential.

 

2) The scope of the program may vary depending upon the size of the company and in the case of a very small business, one person may be able to effectively handle security on a part time basis. However, just as marketing, human resources, and accounting are considered essential business functions for companies of any size, maintaining a security plan is also critical to any company's operations.

 

3) In support of option 4 a., security professionals believe that any effective plan, even if managed by one person part time, should involve the elements of risk assessment, implementation of controls based on the risks, testing and monitoring of controls, and periodic re-assessment of risks.

 

4) Also in support of option 4 a., a statement that the company maintains a security program that assesses risks and implements appropriate controls to address the risks need not be incomprehensible to consumers or too burdensome for businesses to comply with and insures consumers and businesses that security has been considered in the system design.

Opponents would argue:

1) Developing and maintaining a plan but not testing it or otherwise verifying or assuring that the organization is complying with the plan will only result in an illusion of security.

 

2) The costs of developing, testing, verification, and assurance (especially to small or not technically savvy businesses) will be significant, diverting resources from the main business purpose. Many firms would not know where to turn or how to take the first step in developing such a plan.

 

3) If the plan description is posted, much of it may both be incomprehensible to non-technical users and all-too-clear to technically savvy attackers.

5. Rely on Existing Remedies - Before requiring any particular security steps, wait to see whether existing negligence law, state attorneys general, and the pressure of the market induce Websites that collect personal information to generate their own security standards. It is worth noting that the insurance industry has started to insure risks associated with Internet security. The emergence of network security insurance may force companies to seriously address security issues, as the presence or absence of adequate security will be taken account in the underwriting process utilized to determine rates for premium.

Proponents would argue:

1) Consumers who suffer harm as the result of negligence can typically bring tort actions. There is no reason to think that consumers who are harmed by a breach would lack a remedy for any specific injury they may suffer.

 

2) Damages are often quantifiable (credit card charges or lost work time due to identity theft for example). And even when they are not quantifiable (disclosure of embarrassing medical data, for example), the problem is no more difficult for juries to resolve than similar intangible wrongs routinely resolved by juries today (libel damages, for example, or "false light" claims).

 

3) It is therefore reasonable to wait for such litigation and to correct any gaps that may emerge in the law when and if the lack of a remedy has been demonstrated.

Opponents would argue:

1) This approach does nothing proactive to advance good practices in the marketplace, and will result in a long delay before security issues are addressed and consumers are protected. It will take some time before litigation based on existing negligence law results in judgments. And it will take time for the market to respond to this, if that even happens at all.

 

2) If relying on existing remedies fails to work, we will be in the same or worse position then as we are now, and many more consumers will have had their privacy violated due to security breaches.

 

3) In the meantime, businesses that would welcome guidance from experts may be left to flounder and face law suits because of a lack of awareness, even if they are well intentioned.