Communications Litigation Today was a Warren News publication.
'Compensating Controls'

Multifactor Authentication, Encryption Debated at FTC Workshop

Multifactor authentication should be a default for companies accessing and transferring customer data, the FTC heard. The agency proposed process-based requirements in April to add to its safeguards rule, which governs how financial institutions keep customer information secure (see 2004200062). Monday’s workshop was meant to gather information for the proposed rulemaking.

When commissioners voted, Noah Phillips and Christine Wilson dissented, saying it may be premature. The safeguards rule is flexible and appropriate when applied to companies of varying size, they wrote.

One proposal is to require companies to implement multifactor authentication for anyone accessing customer information. The agency is particularly interested in input from smaller companies, Privacy and Identity Protection Division lawyer David Lincicum said now. Cyber Readiness Institute Managing Director Kiersten Todt suggested multifactor authentication as a default. RedZone Technologies Chief Technical Officer James Crifasi, agreed the practice is universal and useful. It shouldn’t be “bucketed” with encryption standards, which is a common mistake, said Todt.

Another proposal would require all customer data held or transmitted over external networks to be encryption-protected. The FTC suggested if companies find encryption infeasible, they can use “compensating controls” approved by information security officers. John Hopkins University associate professor Matthew Green and Virginia Tech Information Technology Security Officer Randy Marchany supported the encryption proposal. It’s a “no-brainer” for data in transit, said Marchany. It’s more straightforward for data transferred internally, but transferring it between companies or organizations with different standards can create access problems, he said.

Banning warrant-proof encryption wouldn’t prevent bad actors from encrypting their data but would weaken commercial products, the Information Technology and Innovation Foundation reported Monday. Legislation with this goal -- like a bill from Senate Judiciary Committee Chairman Lindsey Graham, S.C., and other Republicans (see 2006240064) -- sacrifices long-term cybersecurity gains for short-term law enforcement gains, wrote ITIF Vice President Daniel Castro: “Costs of subverting commercial encryption would be substantial because they undermine the competitiveness of U.S. businesses and reduce privacy and security.”

At the workshop, some voiced support for the FTC’s proposal to require companies to base their information security programs on risk assessments determining privacy and security risks. An annual risk assessment is a good place to start for small to medium-sized companies, said Techlock CEO Brian McManamon. The risk assessments should include a data access inventory and specifics about data origin and destination, said CyberSecurity Base CEO Rocio Baeza.