Data breaches have become so commonplace that only the truly far-reaching events seem to be noticed anymore. However, a recent breach that exposed the data of 6.4 million children, in what experts called the largest known hack affecting youngsters, (1) got the attention of the U.S. Congress. (2) On November 14, 2015, VTech, "the global leader in electronic learning products from infancy to preschool and the world's largest manufacturer of cordless phones," was hacked. (3) The stolen data included the children's names, gender, and birthdates, as well as the mailing addresses and email addresses of their parents, secret questions and answers for password retrieval, IP addresses, and download history. (4) There was enough information in the breach that complete family profiles could be reconstructed. Also exposed were the kids' photos, audio recordings, and chat logs gathered by "Kid Connect," a service that allows parents with a smartphone app to chat with their kids via a VTech tablet. (5) The logs, pictures, and recordings could be traced back to specific usernames, allowing those possessing the hacked data to identify the people chatting and in the photos. (6) The hacker who perpetrated the attack anonymously disclosed to a reporter, "Frankly, it makes me sick that I was able to get all this stuff." (7)
The hacker gained access with an "SQL injection" attack, a well-known way of using rogue database query language to bypass security and allow free access to the information inside. (8) An analysis by Troy Hunt, a cybersecurity expert, revealed that VTech had failed to enact even the most basic of security measures, including failing to secure the data in transit with basic SSL encryption, storing security questions and answers in unencrypted plaintext, and failing to enhance password "hashes" by "salting." (9) All of these measures have been standard practice in systems security for at least a decade. (10) "It's taken me not much more than a cursory review of publicly observable behaviours to identify serious shortcomings," Hunt wrote. (11)
The VTech hack demands our attention not only for the sensitivity of its victims, but also because VTech's example so sharply contrasts with reasonable conduct and good practice. Studying VTech's experiences and choices can provide organizations with valuable insights about how they should be approaching cyber-risk. This article provides an overview of the cybersecurity legal framework and advocates for a proactive and adaptive approach to managing cyber-risk that transcends today's reactive paradigm.
Legal and Regulatory Framework of Cybersecurity
The current U.S. legal framework for cybersecurity is a patchwork, consisting of a number of overlapping federal standards aimed at regulated entities in various sectors, state cyber-breach notification laws, state statutes, and caselaw arising from consumer's actions against companies. Despite the lack of a comprehensive standard, a requirement for organizations to implement affirmative cybersecurity practices has arisen as a result of the body of administrative law stemming from Federal Trade Commission (FTC) enforcement actions. Although the FTC lacks any specific statutory authority to regulate cybersecurity policy, it has repeatedly used its broad [section] 5 authority to prohibit "unfair or deceptive acts or practices in or affecting commerce" to enforce data protection standards against companies. (12)
A "deceptive" act is a representation or omission that is likely to mislead a consumer into using a product or service. (13) In the context of cybersecurity, when an organization claims in its website security policy that it "adequately secures data" but then fails to implement good cybersecurity practices, it has committed a deceptive act subject to FTC action. (14) The agency may also interpret the existence or lack of a given cybersecurity practice as "unfair" when it causes, or is likely to cause, injury to consumers. (15) In contrast to the deceptive practices standard, the organization does not need to have represented itself to consumers as having adequate data security. (16) No actual cyber-breach needs to have arisen under either standard. (17)
While the precise boundaries of the FTC's authority are unsettled, over the course of approximately 100 cases, the agency has established an evolving conception of "reasonable cybersecurity" in general commerce. (18) The FTC has been less than sympathetic with organizations that allege "reasonable cybersecurity practice" is too amorphous a standard for guidance. Indeed, at a panel discussion on cybersecurity issues on March 9, 2016, FTC Commissioner Terrell McSweeny expressed incredulity that organizations continue to claim that "reasonable security" is an ambiguous term. (19) Guidelines for implementing reasonable security processes are "all over our website," said Commissioner McSweeny. "It means having a process, appointing responsible people for implementing the process, providing training, and so on.... Companies not making any attempts at reasonable security measures are doing so at their own risk." (20) The risk to which Commissioner McSweeny refers is the legal and regulatory risk of FTC audit and enforcement activities. (21)
In addition to the FTC baseline oversight applicable to general commerce, many business sectors have individualized practices, standards, and regulatory bodies. In some cases, these define a rigid compliance framework to which businesses in that sector will be held accountable by overseeing regulatory agencies. In other cases, the practices and guidelines are not rigidly enforced or audited, but instead frame the understanding of reasonable cybersecurity practice for that sector. While each of the individual regulatory agencies has its own enforcement personnel and objectives, most have a reasonable cybersecurity standard and interpret that standard in light of the practices and guidelines applicable to that sector.
The individual practices and guidance of each agency are too numerous and complex to comprehensively discuss here, but a few examples are illustrative. The Federal Communications Commission (FCC) has powers similar to the FTC's to regulate broadcasters and common carriers under [section] 222 for their treatment of customer data. (22) The FCC recently previewed new draft broadband privacy rules that would extend the requirements for minimum security processes and consumer data breach notification to internet service providers. (23) The Commodity Futures Trading Commission (CFTC) broadly requires reasonably designed cybersecurity practices for companies operating in the financial markets and has drafted numerous guidelines relating to the security of transaction data and consumer personal and financial information. (24) CFTC's chair views cybersecurity as "the primary risk to financial markets." (25) The Consumer Financial Protection Bureau (CFPB) enforced a consent order and $100,000 civil monetary penalty against Dwolla, Inc., an online payment platform. (26) Among other things, Dwolla claimed, but failed, to comply with payment card industry (PCI) standards. (27) This example shows that the CFPB is willing both to interpret and enforce external industry standards when regulated entities are deceptive about compliance. Dwolla also failed to encrypt even the most sensitive customer data, including bank account information and Social Security numbers, contradicting its claim to encrypt and store securely 100 percent of consumers' information. (28) The consent order mandated that Dwolla obtain outside auditing for a period of five years to ensure compliance with "procedures and standards generally accepted in the profession." (29)
Florida and Other States
Cyber-breach notification laws now exist in 47 states. (30) In general, these laws require companies to notify consumers when their personal...