How (and why) to apply federal compliance guidance to security and privacy programs
August 3, 2020 Update: In June 2020, the DOJ updated their guidance document referenced in this post. You can find the new link here. The June guidance updates are not very extensive but they do highlight the need for continuous program evaluation and improvement, the importance of adequate resources and the responsible team being empowered to function effectively.
July 14, 2019
tl;dr 1) Security and privacy programs need a supportive company culture for success. 2) The FTC is using federal guidance on compliance program effectiveness in privacy and security enforcement orders, with the Facebook case as a recent example. 3) We should be using the federal guidance to build or improve privacy and security programs because the goal of the federal guidance is to instill a culture of compliance. Based on the recent Facebook case, that now extends to a culture of privacy (and security).
The human element
Humans drive company culture. So we hear a lot about how important the human and cultural element is to the success of a company's security and privacy program.
How can we build (or improve) a program to actually achieve a culture of security and privacy?
There is no single correct answer. Our business and threat models are different. But there is an existing framework aimed at helping companies design a program that promotes ethical behavior and provides tools to create a supportive culture.
Federal guidance on effective compliance programs provides a framework with company culture as the ultimate goal.
This guidance is something that startups and bigger companies can use for program building, gap analysis, and influence-building in the wider organization.
It was written by federal agencies in the context of enforcement, but I'm suggesting that we flip it on it’s head and use it to be proactive as we build and scale privacy and security programs. If you're able to use the guidance to put a security and privacy governance structure in place early, it will help immensely later on (more on that below).
But ... box-checking stinks
Yes, compliance involves box-checking. The first thing we think of is the act of compliance, which is what manifests as the much-maligned “box-checking” exercise.
Compliance is just about box-checking, why would I want to apply guidance on box-checking to privacy and security?
Security and privacy both need compliance to work (e.g. customer contracts, SOC 2 controls, HIPAA) but what I’m talking about is not the “check-the-box” acts of compliance.
A program is different than an act.
The federal guidance I'm talking about involves a holistic approach to building a program with the ultimate goal of creating a supportive culture in your organization.
What is the guidance?
Two federal agencies offer guidance on what they look for in an effective program: the United States Sentencing Commission (USSC) and Department of Justice (DOJ). The compliance field has used their guidance for decades when building and implementing compliance programs.
The USSC Sentencing Guidelines are meant to incentivize organizations to implement programs that encourage ethical conduct and compliance with laws. These guidelines are applicable to any size organization, because they are not prescriptive.
There are no precise details for implementation. The program elements discussed by the USSC can be applied to any size organization and any business model because the goal is to promote a culture of compliance. Here is a summary of the most commonly cited elements of the guidance:
The DOJ weighs in on effective compliance programs in both the Justice Manual and the Evaluation of Corporate Compliance Programs Guidance Document.
The latter was recently updated in April 2019. I recommend reading this one because it includes specific questions around program design, implementation and effectiveness that you can use to evaluate your program (substitute references to "compliance" with "security and privacy").
Below is an excerpt of some of some of the key program topics covered in the DOJ's April 2019 Guidance Document.
For example, under Management Commitment:
"How have senior leaders, through their words and actions, encouraged or discouraged [security and privacy]?"
"What concrete actions have they taken to demonstrate leadership in the company’s [security and privacy] efforts?"
You might find it useful to ask these (and more questions in the document) about your company.
Sounds nice, but why use it for security and privacy programs?
There is a lot of overlap around compliance, ethics, trust, and security and privacy (see header image) because they are risk functions. As teams in small or large companies, we simply can't operate in silos.
Speaking from experience at a startup, the framework and questions posed in the federal guidance can help us with the how to do what all risk folks want: embed a company culture that supports and enables effective risk management. No matter whether it’s a culture of security, privacy, compliance, or all of the above.
In a past life when I was on a team involved in federal investigations, I got first-hand experience with compliance program expectations of federal regulators (and what doesn't cut it).
When I began building a new security, privacy and compliance program at a startup, I used the guidance as a framework. This helped lead to mostly painless SOC 2 Type II certifications and independent GDPR and HIPAA compliance evaluations, as well smoother sales cycles (particularly with government clients).
The framework is already in the wild
If you follow Federal Trade Commission (FTC) privacy and security enforcement activity, you may have noticed more orders and settlements containing program requirements.
Let's look at some examples of FTC privacy and security program requirements compared to the federal guidance on compliance programs.
First, the Facebook Order where the FTC required the company to establish, implement and maintain a "comprehensive privacy program" (the basis for the reported $5 billion fine).
Federal Guidance (program elements) vs. FTC Facebook Order (2012):
Examples are not limited to privacy programs. Here is an example of a 2015 case where the FTC ordered a company to establish, implement and maintain a "comprehensive information security program."
Federal Guidance (program elements) vs. FTC Wyndham Order (2015):
In April 2019, the FTC issued a press release discussing their thinking behind issuing stronger requirements in privacy and security enforcement cases.
This was followed in July 2019 by another settlement containing a "comprehensive software security program requirement." We can be sure that there will be more orders with program requirements coming from the FTC.
What happens with these program orders? Or, how will federal agencies evaluate security and privacy programs?
Based on these examples, it appears that the FTC is using the USSC and DOJ elements of an effective compliance program in security and privacy program orders. But, when it comes to evaluating effectiveness of these programs, what might happen?
I don't think federal agencies will devise a new standard to measure the effectiveness of privacy and security programs. I think it's likely that they will use the established federal guidance.
We may soon have the chance to find out. Rumors have circulated for several months of new settlement negotiations between Facebook and the FTC regarding the "comprehensive privacy program" ordered in the 2012 (see above).
In fact, several outlets are reporting that a $5 billion settlement agreement was approved by the FTC and is heading to DOJ for review.
As part of this rumored settlement, if the FTC determines that Facebook did not comply with the privacy program requirements described in the 2012 order, how is that determination being made?
In other words, how is FTC judging the effectiveness of Facebook's privacy program (or presumable lack thereof)?
If details of the new settlement are published, the FTC's thinking may be revealed. There is a strong chance that it will align with DOJ's April 2019 Guidance Document and their specific questions regarding program design, implementation and effectiveness.
One potential hint is the rumor that Facebook may be creating specific, high-level and independent positions to oversee and be accountable for their privacy program.
Reports of these new positions at Facebook combined with a quick review of the DOJ's guidance on "Autonomy and Resources" (see pages 10-12) indicate that the FTC is using the DOJ playbook.
How you can apply the guidance
Startups case use the federal guidance for a security and privacy program roadmap. If you look at the elements of effective programs and review the questions posted in the DOJ's guidance, it can serve as a proactive guide to help you achieve program goals.
This is where I started (as a one-person team). I found it very useful for defining and prioritizing what elements to implement first, especially tone at the top and management commitment to the program.
As the company grew from 25 when I joined to over 140 now, having these structural "bones" in place helped us scale from both a capability and organizational culture perspective.
For larger companies where you aren't building a program from scratch, the federal guidance is still very useful. Instead of the building context, use the guidance to perform a gap analysis.
It may also be very helpful for gaining additional resources or influence in your organization. There are no prescriptive details when it comes to program implementation, however, the guidance states clearly that in order for a program to be effective the personnel on the team must be empowered within the company and have sufficient resources to carry out their roles.
Everyone: culture is the end game
The federal guidance provides a program framework with culture as the ultimate goal, which is something we all have in common. Culture is mentioned eight times in the April 2019 DOJ Guidance Document.
You can easily imagine a situation where you are trying to convince a business leader why their words and actions are so critical to a security and privacy culture. This guidance is something you can point to, discussing in detail how the federal government evaluates culture in an organization. We should this guidance to be proactive as we build and scale security and privacy programs.
We are all human, and humans drive company culture.
This article was adapted from a talk I did at Deflect 2019 and a recent article I wrote about the FTC Facebook case. Learn more about Risk Salon and Deflect here. Thanks for reading!
Follow me on Twitter @ldhawke