FTC probe of Verizon holds valuable lessons in cyber security protocolReprints
Companies can glean valuable guidance from the Federal Trade Commission ending its investigation into the security of Verizon Communications Inc.'s routers should they face such a probe.
Legal and insurance industry experts say it is critical for companies to maintain up-to-date cyber security standards as one way to avoid such regulatory scrutiny in the first place.
Experts also advise buyers to make sure their cyber insurance covers regulatory exposures.
The FTC, which investigated whether Verizon engaged in “unfair or deceptive acts or practices” by continuing to ship routers using an outdated encryption standard, closed its probe with a mid-November letter to the New York-based communications firm's attorney.
Maneesha Mithal, associate director of the FTC's division of privacy and identity protection, cited Verizon's overall data security practices and steps it took to address concerns about its routers' security in ending the investigation.
She added, however, “We continue to emphasize that data security is an ongoing process. As risks, technologies and circumstances change over time, companies must adjust security practices accordingly.”
Verizon said in a statement that customers' “online security is critically important to us.” It said its partnerships with groups such as the National Cyber Security Alliance are “raising awareness and helping our customers be safe and secure whenever they are connected.”
Meanwhile, the FTC and Wyndham Worldwide Corp. continue their litigation over the Parsippany, New Jersey-based hotel chain's cyber security standards as a result of three data breaches. Unlike Wyndham, there were no reported data breaches involving Verizon.
In the Verizon case, the FTC's emphasis on data security being an ongoing process shows that “you can't simply put something in place and call it a day,” said Michael P. Hindelang, a partner at law firm Honigman Miller Schwartz & Cohn L.L.P. in Detroit.
“The message here is that companies don't exist in a vacuum as it relates to privacy and data security, and they need to be paying attention to what's going on in the environment,” said S. Gregory Boyd, a partner at Frankfurt Kurnit Klein & Selz P.C. in New York.
If there is an investigation, “having a good, overall security practice is going to help even if there are some issues with the specific network security practice,” said Michael Born, Kansas City, Missouri-based vice president and account executive of the global technology and privacy practice at Lockton Cos. L.L.C.
“Being proactive is not a panacea, but it goes a long way towards demonstrating a company's recognition of, and willingness to face, a growing problem,” said Richard J. Bortnick, senior counsel at law firm Traub Lieberman Straus & Shrewsberry L.L.P. in Red Bank, New Jersey.
A breach avoidance program should include top management as well as representatives of the risk management, legal and human resources departments, he said.
“You need to have a story to tell the regulatory agency,” saying that “despite your best and reasonable efforts, a problem occurred, and ... look at all the efforts that we made to mitigate or prevent further damage,” said Randall Krause, CEO of Fresno, California-based consultant ePlace Solutions Inc.
“The FTC was in some ways pushing the limits by saying Verizon had engaged in an unfair trade practice” by simply not having state-of-the-art security, said Robert E. Cattanach, a partner at Dorsey & Whitney L.L.P. in Minneapolis.
“There's always a tension if you sense the FTC is out there a bit. Do you call them out on it” or cooperate? Verizon “obviously chose the latter path,” which paid off, he said.
“The things Verizon did to avoid this issue and avoid a consent decree was probably far less costly than having to comply with some of the consent decrees I've seen, which were relatively egregious,” Mr. Born said.
Should regulators launch an investigation despite a company's best efforts, “bow and scrape,” quipped Paul Rosenzweig, founder of Washington-based Red Branch Consulting P.L.L.C. and a former deputy assistant secretary for planning at the Department of Homeland Security.
“You need to take very seriously what the government says to do, and fight with them only on very, very rare occasions,” he said.