As agencies such as the Federal Trade Commission (the “FTC”) and the New York State Department of Financial Services (the “NYSDFS”) begin review of their cybersecurity policies, it looks like the road ahead may be a bit more prescriptive. This could be a good thing for cloud-based service providers and their customers, both of whom could see costs decrease as vague standards are replaced with more specific guidance.
Historically, regulatory agencies have resisted the call for specific cybersecurity guidelines for cloud-based service providers. Citing the rapidity at which technological options evolve, the varying size and financial strength of the parties involved, and the range in criticality of data, regulations are riddled with vague mandates to develop and maintain “effective” or “reasonable” security programs which include “consideration of the company’s size and complexity, the nature and scope of the company’s activities and the sensitivity of the data that is collected.” Vendors are expected to use “best practices,” and to be consistent with “industry standard” but what exactly that is, nobody truly knows.
The Cost of Regulatory Ambiguity
For the cloud service provider, this ambiguity creates a great economic toll and an increasing barrier to entry.
Professionals and Consultants Required. Because the reasonableness standard is developed through a steady trickle of case law and regulatory enforcement actions, the only way to truly understand the state of play is to engage professionals who have been tracking regulatory pronouncements and case law on an ongoing basis and who have been working with many players in the industry over a long period of time.
Customer Insistence on Unreasonable Security Standards. Because cloud customers are (i) in the dark about what “industry standard” actually means, (ii) fearful of data breach risk, and (iii) eager to pass as much risk and expense onto third party service providers, they often begin contract negotiations with unreasonably aggressive security requests. This creates an additional financial burden on the entire system as each side is forced to invest considerable time and energy into negotiating each and every service contract.
A Trend Toward More Prescriptive Guidance?
Whether it is a coincidence or a recognition that more specific guidance is needed, this Fall, both the FTC and the NYSDFS announced plans to review cybersecurity guidance. In each case, there was a new (and welcome) interest in increased specificity.
Proposed NYSDFS Regulations. In September 2016, the NYSDFS announced proposed cybersecurity regulations for institutions under its jurisdiction. Among the more specific requirements (unless modified, scheduled to go into effect on January 1, 2017) for cloud service providers servicing NYFDFS regulated institutions are:
- Annual assessment of continued adequacy of security practices
- Multi-factor identification
- Encryption of data in transit and at rest
- Prompt notice of a cybersecurity event
- Identity protection services provided to customers impacted by a cybersecurity event due to negligence or willful misconduct
- Representations and warranties that service is free of viruses, trap doors, time bombs and other mechanism that would impair security
- Covered Entity audit rights
FTC Safeguards Rule Review. Similarly, in September of 2016 the FTC announced plans to review the Safeguards Rule. Among the items under consideration are whether the Safeguards Rule should specifically include the requirement of a breach response plan, and whether the rule should be more prescriptive in nature.
Lower Administrative Costs Ahead?
While more specificity could lead to greater implementation costs, those costs could be offset by a reduction in legal costs associated with deciphering regulatory requirements and negotiating contracts. In addition, to the extent companies rely on consultants or other professionals to guide them through regulatory compliance, these services should become more stream-lined and “off the shelf.” Perhaps over time we will see spending going where it belongs: security dollars spent on creating information security.