05-04-14 | Blog Post
Those of us working in the security and compliance world are very aware of the data privacy rules and enforcement in different regulated industries:
In addition to these familiar players, a new ranger has shown up to the scene and established a stake in investigating and holding companies accountable for protecting data.
Until the recent ruling by the U.S. District Court of New Jersey, many of us in the data security and compliance world haven’t given much thought to the Federal Trade Commission (FTC) and its authority over both regulated and non-regulated industries when it comes to cybersecurity and data protection.
It may come as a surprise that there have been over 50 cases where the FTC has stepped in and extracted settlements from companies that have had data breach incidents. Now the U.S. District Court has affirmed the FTC’s broad authority to take actions against companies who have had lapses in data security – and more specifically when those lapses have involved breaches of personally identifiable information (PII) that companies hold on their servers and in their databases.
Apparently, this applies not just to regulated industries, but to non-regulated industries as well. Any company that holds PII can be the subject of an FTC action if they are not properly securing that data.
This was the case for Wyndham Worldwide Corporation in its claims against the FTC. They argued that they were not in a regulated industry and that the FTC couldn’t arbitrarily decide to prosecute them. Under Section 5 of the FTC Act, the FTC can go after companies that engage in unfair or deceptive acts. The court ruled that a company engages in unfair acts or practices if the company’s data security practices cause or are likely to cause substantial injury to consumers that is:
In Wyndham’s case, the FTC went after them because they failed to use readily available security measures, establish good security policies and procedures, keep their systems patched to fix known security problems, and lacked the ability to detect and respond to intrusions. The result of Wyndham’s lax cybersecurity was multiple data breaches between 2008 and 2010 and the theft of credit and debit card numbers of hundreds of thousands consumers by cybercriminals.
The U.S. District Court confirmed the FTC’s authority to pursue a broad range of companies that don’t fall under industry-specific regulations.
The moral of the story seems to be – if you are holding ANY type of personally identifiable information (PII) data on your servers or in your databases, the government is expecting you to properly secure that data. Now the U.S. District Court has just given the FTC the teeth to enforce those expectations for data privacy and security.
RELATED
Webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices
Last week, IT privacy and security attorney Tatiana Melnik (left) dove into the implications for businesses storing personal customer information as FTC enforcement becomes increasingly stringent. Check out a replay and download the slides from that webinar.