Data Breaches and the Damage Done: New Ruling Grants FTC Regulatory Authority for Cybersecurity
The Third Circuit's recent ruling sets a new precedent for the FTC's ability to regulate data breaches and other cybersecurity incidents. What does this mean for the security industry?
In another win for consumer protection, the Third Circuit has ruled that the Federal Trade Commission has the authority to regulate cybersecurity under the “unfairness prong” of the Federal Trade Commission Act. The Court set this precedent in Federal Trade Commission vs. Wyndham Worldwide Corporation. In Wyndham, the FTC alleges that defendant’s computer systems were hacked three times between 2008 and 2009 and that taken as a whole these actions “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Specifically the FTC alleged that the company stored payment information in clear readable text, used default passwords, had an inadequate inventory of the computers with access to their network, and did not take adequate measures to protect against or respond to the incidents.
This case made its way to the Third Circuit on appeal of the District Court’s denial of the defendant’s motion to dismiss. The Court made quick work of the defendant’s arguments to find that the FTC had the authority to regulate cybersecurity - offering a potential answer to the public outcry for federal regulation on the topic. Now the interesting works begins, which is likely to create more questions than it answers. Will we see the FTC championing cybersecurity regulation on par with HIPPA? Now that the FTC’s authority is firmly entrenched, they will undoubtedly begin the rule making process.
On March 3, 2015, Jessica Rich, Director of the Bureau of Consumer Protection, gave a glimpse into the thought process of the FTC. Specifically the agency aims to address three high-level areas: big data, mobile, and sensitive information. On big data, the FTC’s “… central message is that, even in the face of rapidly changing business models and technologies, companies still need to follow the fundamental privacy principles – including; don’t collect or retain more data than you reasonably need, tell consumers how you plan to use and share their data, give consumers choices about their privacy, and protect data from unauthorized access.”
On the topic of mobile, Ms. Rich appears to be struggling with the same issues as much of the industry. Her comments on the topic are short and to the point: “… we’ve issued several reports about kids’ apps, mobile privacy disclosures, and mobile payments. These reports stress the need for privacy by design, transparency, and easy-to-exercise choices for consumers.” As broad as this statement is, she stresses that mobile will be a key focus for the FTC throughout 2015. She quickly moves on to the protection of sensitive information.
She starts by reiterating the agency’s commitment to privacy protection: “protecting sensitive data isn’t really a new priority – it’s one of the original priorities we started with at the very beginning of our privacy program.” Beyond that, the specifics of the goals are rather light, but she is quick to point out that the agency’s “… work to protect sensitive data also includes 55 cases to date against companies that failed to implement reasonable security protections…” One of those companies undoubtedly being the defendant in this case.
For the millions of consumers who are already victims of these data breaches, the damage is done. But now they have a powerful advocate in their corner to help fight for the protection of sensitive data going forward.
Darren Greaney is general counsel at Digital Guardian.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business