Cybersecurity: A Job for Uncle Sam

Orson Swindle has long been one of the nation’s most cogent advocates of the notion that industry self-regulation is the best way for American businesses to improve information security and privacy. A Republican appointee to the Federal Trade Commission by President Bill Clinton in 1997, Swindle used his seven-year term to promote the creation of a “culture of security” in which the government, businesses and consumers work together to improve security.

These days, however, Swindle is coming around to the idea that federal regulation—carefully crafted and keeping in mind the costs and benefits to affected businesses—may be necessary to protect American businesses and consumers. His experiences with the FTC have made him aware of the limitations in the country’s existing infrastructure to protect consumers against identity theft.

Swindle, 69, is now chairman of Security Initiatives for the Center for Information Policy Leadership at the law firm Hunton & Williams, and he is also a distinguished fellow at the Progress & Freedom Foundation, a think tank. He spoke with Sarah D. Scalet, a Senior Editor with CSO, our sister publication, about the challenges of improving information security and privacy.

CIO: What’s your perception of the state of information security today, and how close are we to creating this “culture of security” that you’ve envisioned?

Orson Swindle: We do have problems. I don’t think the problems are nearly as bad as they are perceived, and part of that has to do with how the media covers things. This past year we’ve had probably in excess of 100 disclosed breaches, but the jump from disclosed breaches to grievous harm having occurred is a huge one. You’ll hear “40 million credit cards compromised,” but it’s a much smaller number than that—a very low number—where harm has actually occurred. Oftentimes a disclosure is an emotional thing. It causes people to overreact. But that is not to say we don’t have a problem.

It’s understandable that people would be upset when they hear about huge disclosures of information that are out of a private citizen’s hands.

Absolutely. I think there is reason to be concerned. I think consumers need to be always diligent in how they handle their own information. Perhaps of greater significance, those who are in the business of handling the information have to wake up to the reality.

How do we follow the path from when information is stolen, to the point maybe nine months from now when that breach results in identity theft or fraud?

Great minds are working on this, and no one has a neat solution. Say a laptop with a lot of sensitive information on it disappears. Should the company immediately inform all those whose information was there on the lost laptop, when four days later it’s found and nothing’s been done to it? Do we want to cry wolf and scare people, or do we want to evaluate the whole sequence and determine if there is a real harm factor involved with this irresponsibility? As you say, we do have account numbers from credit cards exposed, and the effect of that doesn’t show up for six months. How do you measure that? It’s complicated.

Do you think the law leaves enough room for the company that gets that laptop back to do computer forensics on the hard drive, see that files weren’t accessed in the past four days and not do a disclosure?

Sometimes the information is, in effect—I’ll put quotes around it—”compromised,” yet it has no use because it is encrypted. On the other hand, if because of lousy security a database is hacked into, and the person was doing it for a reason, that’s very different. There’s a management decision to be made involving risk management and risk assessment—trying to come up with the criteria by which you will implement certain reactive types of programs.

This fall, I attended a meeting where some businesses said, Look, we’re not going to invest in enhanced information security because it’s expensive; it has a low return on investment. I said, Really? Tell me how you crank in the risk to your reputation if you have a security breach. What about the cost or the liability of the lawsuits that are coming your way? The collateral damage is just enormous. Avoiding that cost, what does that do for your return on investment?

The marketplace has a way of working. Whether or not it works fast enough to avoid major calamities in the future, I don’t know. But I know this. More burdensome regulation—and certainly more burdensome regulation driven by an emotional circumstance or perceived crisis—often gets us laws with unintended consequences. Cost of compliance is one. Cost-benefit analysis should be a part of any regulation imposing burdens on its targets.

It’s been about a year and a half since the first disclosure law took effect in California, and similar laws have passed or are being considered in many states. Do you classify these disclosure laws as burdensome regulations?

I’m sure some would argue that they’re burdensome, but I think they’re obligatory. I think we are coming to a time when we must assess breaches by some measure for harm, and when there is harm, the firm suffering the breach will be obligated to notify the person about whom the information pertains. It seems to me that if we can tell a bank that if you lose my money, you’re going to be responsible for it—that’s why they insure it—then why not take the same approach with information?

Now we come into that inevitable problem in our federalist system: Do we want to have a standard rather than 50 different ways of doing it? What you get with 50 different ways is, the marketplace will decide which is the most onerous, and [companies will] adopt it and all the others under it.

Right, from a compliance perspective, companies would logically conclude that if they comply with the strictest state law, that would put them in compliance with other laws as well. Are you suggesting that there’s a need for a national disclosure law that’s less strict than California’s?

I wouldn’t begin to characterize it as less strict. Having each state be its own little laboratory is useful in some things, and in some things it creates chaos. I’m saying that there needs to be uniformity. Maybe a national disclosure law would be a mirror image of California. Maybe we combine two or three of the laws and come up with something that everybody says, “Well, that makes sense, let’s do it that way.”

What else do you predict for this legislative year?

We’re going to probably see a broadening or extension of the safeguard rule in the Gramm-Leach-Bliley Act to cover a significant number of organizations that handle sensitive information but that aren’t financial services institutions. There is a new awareness that personal information is very valuable, and it needs to be protected whether we’re talking about a financial institution or a university or a shoe store.

You’ve said in the past that we are not knowledgeable enough to begin regulating. Do you think we’re getting close?

The act of regulating is always moving by its very nature.

I remember the debate back seven or eight years ago we were having on taxing the Internet. I don’t like the idea, and how would you do it? One study said that for a huge firm it might cost 13 cents to collect a dollar in taxes, whereas a little firm would probably have to spend 87 cents to collect that dollar. It just shows you the inequity of legislation. Again, that’s not a product of evil intent. It’s usually the product of number 1, a complex problem, number 2, influence on the way the legislation is shaped, and lastly, just not understanding and thinking through to the end, What’s going to be the effect of all this? Does it make sense? That’s why I have been consistently saying, Let’s not rush in and start legislating. We don’t fully understand this, and even if we did fully understand it right now, six months down the road the situation will have changed.

FTC enforcement of existing laws is certainly an alternative to new legislation. In your time as a commissioner, how effective do you think your attempts at enforcement were?

We were moving. The case with BJ’s Wholesale Club was an example. That was a settlement stemming from a case presented back in May of 2005. [The FTC charged that BJ’s did not reasonably protect sensitive customer information, leading to fraudulent purchases made with counterfeit copies of credit and debit cards.] The FTC’s Unfairness Doctrine relates to conduct that a firm might engage in, which has the consumer at a critical disadvantage. Either the consumer doesn’t know anything about it or can’t do anything to correct it, and there’s no countervailing greater good that comes from the conduct. Using the Unfairness Doctrine, the FTC basically said that BJ’s Wholesale Club, by collecting sensitive and critical information and not taking adequate steps to protect it, had committed an “unfair” act against the consumers. A subsequent case for the FTC was DSW. [The FTC charged that hackers gained access to account information of 1.4 million customers of the shoe discounter.] The FTC nailed them on the same Unfairness Doctrine.

But here’s one of the troubling things about the FTC. It’s a civil law enforcement agency. It has a hard time enforcing criminal-like penalties. To do that, it has to go to the Justice Department, and of course, their plate is just a wee bit full. The FTC can only do so much in the way of punishing, as a famous man in town would say, “the evildoers.” I often out of frustration would say, Our punishment amounts only to a small line item on this guy’s financial statement: penalties paid to the FTC for this. You just wonder about the effectiveness of the penalty structure.

Should the penalty structure be changed?

We need to think about changing it in the context of what we’re dealing with today, as opposed to what we were dealing with 30 years ago. Back then, if I had an important document that I kept in my office, and you wanted to do harm to me, you could break into my office and find it and steal it. That’s a major crime. Today that document might exist in a digital format. It is within information systems that you can break into to steal the document. I’m not sure we think of that in the same way we did that physical thing. We need to rethink the nature of this type of crime and how it stacks up with those things we considered to be grievous crimes in the past.

Do you think the FTC needs criminal enforcement powers?

It’s a controversial thing because the Justice Department is considered our criminal law enforcement. That’s a very hot political potato. I don’t want to get into that. I’ve often been known to say we need criminal authority over at the FTC. What we did as a compromise, perhaps not often enough, was we let some of our attorneys who worked on cases be deputized, in a sense, for the Justice Department.

The FTC recently announced its largest civil penalty to date—a $15 million fine against data broker ChoicePoint. [Disclosure: Hunton & Williams, the law firm where Swindle works, has represented ChoicePoint.] Are you surprised that the largest civil penalty in the FTC’s history now involves privacy and information security?

No. This is serious business. And I think that Chairman [Deborah Platt] Majoras is doing a terrific job of getting that message across. The DSW and BJ’s settlements said similar things, but as I recall there were no dollar figures associated with those settlements. With the ChoicePoint case, there were a number of different violations, including the Fair Credit Reporting Act, thus the penalty criteria is quite different from the “unfairness” nature of BJ’s and DSW. The case involving ChoicePoint is pretty well laid out, and the violation was grievous. The FTC held firm, which I’m proud of.

The position of assistant secretary for cybersecurity at the Department of Homeland Security has been open for months. Why do you think it hasn’t been filled?

I will refrain from answering. I’ll tell you this: This administration, and every administration to follow, had better make a very concerted effort to put technology on the table and adequately stamp it so that we as a country and as a nation can maintain our supremacy in technology development and use. Sometimes I get the impression that we’re not paying enough attention to technology. Every administration needs to pay a lot of attention to it. Information flows and the technology that makes it possible is the lifeblood of our economy—it’s the way we do everything. We have to get this right. Otherwise we’re just setting ourselves up for a lot of misfortune. We have become incredibly lucrative targets of opportunity.