Hayes Hagan

As the FTC has stepped into a role of regulating cybersecurity, there has been much debate about the relative effectiveness of standards-based versus rules-based regulation. Initially, the FTC adopted broad standards, but appears to be moving toward a more rules-based approach.

Proponents of standards argue they are more flexible. They can apply to different sized companies and maintain relevance as technology and threats change. A regulation requiring “reasonable” or “industry standard” measures does not require frequent updates or tailoring. However, this is less prescriptive and does not offer companies the degree of certainty that comes with complying with delineated rules.

The New York State Department of Financial Services (“NYDFS”) cybersecurity regulation has become the paragon of a rules-based approach. Requirements such as encryption, multi-factor authentication, and vulnerability assessments are specific and clear. To mitigate the burden on smaller companies, the regulation offers exemptions from certain requirements.

Meanwhile, the FTC has taken a more standards-based approach. Its Standards for Safeguarding Customer Information rule (“Safeguards Rule”)—which applies to financial institutions that are not regulated by the federal banking agencies, the SEC, or state insurance authorities—mandates “taking reasonable steps” in “maintaining appropriate safeguards.” These requirements enjoy broader applicability, but offer less certainty.

This past summer, the Eleventh Circuit dealt a blow to this standards-based approach, vacating a cease and desist order issued by the FTC as unenforceably vague. LabMD, Inc. v. Fed. Trade Comm’n, 894 F.3d 1221, 1236 (11th Cir. 2018). While this order did not implicate the Safeguards Rule, many observers read it as endorsing a more rules-based approach to cybersecurity regulation.

Earlier this month, the FTC proposed amendments to the Safeguards Rule. These amendments reflect a shift to a more rules-based approach and specifically admit to following the model of the NYDFS. The commentary to the proposed amendments explicitly states, “These amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services.” For now, the FTC may be limiting its adoption of rules-based regulation to its rules for financial institutions, but this adjustment may signal a shift in its broader approach to cybersecurity regulation. As the FTC contends with its setback in the Eleventh Circuit, it may find prescriptive rules more easily enforceable and turn to them more frequently.