Judith Germano follows up on a post by FTC Assistant Mark Eichorn on what to expect if the FTC comes calling after a breach.
Germano writes, in part:
The Department of Justice has been reaching out for years to assist victims of data breaches. Indeed, many times it is the government who informs a company that it has been breached, and (to varying degrees) assists the company in determining the cause and extent of harm. But there is another side to the government’s role in cybersecurity: the FTC and other regulators have investigated and brought actions against a number of corporate breach victims for failing to adequately prevent, detect, disclose and respond to incidents. Describing this conduct, one executive remarked to me: “it is as if the government is crawling back over the battlefield to shoot the wounded.” But regulators and proponents of these enforcement actions have emphasized the need to protect consumers, taking the position that regulatory enforcement actions against corporate breach victims will encourage improved cybersecurity hygiene, more accurate disclosures, and a more robust response to a breach.
Read more on Just Security while I think about whether we have any evidence that such regulatory enforcement actions have resulted in improved cybersecurity hygiene, more accurate disclosures, and a more robust response to breaches. I think actions by state attorneys general and state legislatures have resulted in prompter notifications of breaches, and lawsuits and state attorneys general have resulted in more mitigation services offered to consumers, but is there any evidence that federal regulatory enforcement actions have resulted in improved cybersecurity hygiene or more accurate disclosures, etc.? And no, that’s not a rhetorical question. What metrics would we use to answer that question?