The current cybersecurity landscape is unsustainable. Companies are increasingly relying on third parties for conducting services, yet these third-parties continue to be targets of attack due to their weak cybersecurity measures. The problem stems back to the responsibility of contracting companies to ensure the adequate cybersecurity of third parties. This oversight mechanism has proven to be inadequate, and third parties remain untrustable as the weakest link. Moreover, the Federal Trade Commission’s (FTC) inconsistent enforcement of reasonable cybersecurity measures continues this vicious cycle. Until now, the FTC has brought enforcement actions only against larger companies who contract out services to third parties, even in instances where the third party was breached due to their own inadequate security. As a result, third parties lack the major incentive to maintain reasonable cybersecurity measures created by FTC enforcement actions and they operate in a de facto unenforced cybersecurity realm.
Blockchain technology should be implemented as part of a large company’s comprehensive cybersecurity plan. The technology offers a myriad of cybersecurity benefits as it ensures confidentiality, integrity, availability, and resilience. Moreover, the technology, even in its current nascent state, comports with the FTC’s cybersecurity guidelines—found in their 2015 guidebook titled “Start with Security.” Recognizing that the FTC’s reasonableness analysis is done on a case- by-case basis, the absence of blockchain-based data storage by a large company—with adequate means and who collects sensitive information from many people—can be deemed unreasonable. Doing so will limit cybersecurity risk and legal risk. The trust that the blockchain offers, along with the cybersecurity benefits, makes this technology a unique and unparalleled solution to the third-party data breach problem. Large companies handling sensitive and confidential data should start with trust and include blockchain technology as part of their comprehensive cybersecurity plan.