FTC provides advice on US NIST Cybersecurity Framework and FTC requirements

The US Federal Trade Commission (‘FTC’) has provided advice to businesses on whether complying with the National Institute of Standards and Technology’s (‘NIST’) Cybersecurity Framework means that companies are also complying with the applicable FTC data security requirements in a blog post on 31 August 2016.

The blog post explains that the FTC is regularly asked the question ‘If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?’ and goes on to clarify that ‘the Framework does not introduce new standards or concepts; rather, it leverages and integrates cybersecurity practices that have been developed by organisations like NIST and the International Standardization Organization (‘ISO’).’ The blog post states that ‘there is no such thing as “complying with the Framework.”’ It does, however, explain that the Framework is consistent with the FTC’s approach; for example the Framework takes a similar approach to Section 5 of the FTC Act on enforcement, which the FTC uses to determine if a company’s processes and data security are reasonable…

According to the information technology research company Gartner, the NIST Framework was used by 30% of US organisations in 2015, with the number expected to climb to 50% by 2020. Michelle Cohen, Member at Ifrah Law PLLC comments that while large organisations have resources and staff to align their practices with the Framework, “I am concerned about smaller and mid-sized organisations. As the FTC has stepped up enforcement actions and plaintiff’s lawyers seek to bring class actions for every breach, I think more robust education, training and guidance on the Framework, FTC expectations, and information on data security resources should be offered to smaller businesses. Additional local and regional forums hosted by the FTC, would help in this regard.”