It says it "does not require perfect security; reasonable and appropriate security is a continuous process of assessing and addressing risks; there is no one-size-fits-all data security program; and the mere fact that a breach occurred does not mean that a company has violated the law."
Settling with the FTC, though, can be burdensome. Companies that sign consent decrees with the FTC to settle charges are saddled with having their security practices assessed by the FTC 10 times, once every two years. "You are married to the FTC for 20 years," Sotto says. There is no monetary penalty unless there is a second offense, and then they can be $16,000 per day per violation.
Individual states such as Massachusetts, California and Nevada have data-protection statutes that also call for measures that are "reasonable" and "appropriate," she says. "It's not fair to say those are weasel words. It's difficult to mandate reasonable standards."
There are many attempts to set standards to protect data. For example, the Graham Leach Bliley Act requires written information security programs spelling out administrative, physical and technological safeguards to protect customer information. "It's that vague," she says.
Beyond laws, regulations governing various industries also come into play by demanding compliance with often frustratingly vague requirements, she says.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires administrative, physical and technological safeguards, and tries to spell them out. The downside is they were written in the early 2000s. "They're ancient history," she says, but they are required by law, so businesses are forced to meet them despite newer defenses created in the meantime that might be better to protect their current environment. "In a nanosecond it can change."
HIPAA allows up to $50,000 sanctions per incident for willful neglect by the entity that suffers a breach, Straight says. The problem is that willful neglect has an unclear definition, so it's hard to know. Penalties can be more severe and include prison terms. "It's very difficult for federal regulators to provide specific information on what you need to do to fulfill regulators' requests," Straight says.
Terminology is vague enough to begin with such as requiring "reasonable efforts" and "appropriate security programs" to keep data safe but what that means in practice can change. "It's a very unsettled time" he says.
The credit card industry has its own standards known as payment card industry data security standard (PCI DSS). As a practical matter, being PCI compliant doesn't help, Straight says. "That's the joke in the security industry no company that's compliant with PCI DSS has ever been breached because a re-audit finds they were not complaint at the time of the breach," he says. I'm not aware of any that's been certified compliant at the time of a breach."
Sign up for CIO Asia eNewsletters.