A recent decision by the Third U.S. Circuit Court of Appeals has
ruled that the U.S. Federal Trade Commission now has the authority to investigate
and charge individual companies with “unfair trade practices” for failure to “protect
customers from the theft on on-line data” (Raysman & Morris, 2015). The judgment originally stemmed from a
lawsuit filed by the FTC against the Wyndham hotel chain. The Commission sued the hotel chain based on
a set of data breaches that resulted in $10.6 million in fraudulent charges to
customer’ credit cards (D’Annunzio,
2015).
Until
now the FTC has routinely been filing and settling similar claims against
corporations based on faulty security controls such as antiquated software,
insufficient firewalls or routine security practices not being followed. Given the federal government’s lack of a
clear cybersecurity regulation for companies, legal observers view this latest
ruling as just the first of many more lawsuits to come. According to Scott Vernick, a Philadelphia-based Fox Rothschild
attorney who represents Fortune 500 companies in data breach matters, the FTC’s
newfound authority could affect data breaches similar to those of Sony, Ashley Madison,
Target and Home Depot (D’Annunzio, 2015).
As a result of this newest exposure to
claims by government regulators, Raysman
& Morris (2015) advise CIOs to act defensively to mitigate the potential
damage from data breaches and resulting lawsuits. Some defensive steps to be considered include:
Compliance
with NIST Cyber Security Framework. The National Institute of Standards and Technology has issued a
“Framework for Improving Critical Infrastructure Cybersecurity,” which is becoming a de facto standard of cybersecurity for U.S. regulators. The Framework is the equivalent of a GAP
analysis, with a company setting up its own profile. If a company can
demonstrate to the FTC that it has implemented the Framework, it may help to
persuade the FTC that there are no grounds to file a complaint.
Updating
of data and privacy policies. Every
company has a data privacy and security policy. However, many of those policies
may have been written several years ago and may not reflect recent standards
and practices. A company should regularly update those policies to comply with
the most recent cybersecurity requirements.
Report
by respected third-party consultant. Virtually every major information technology consultant now has a
cybersecurity practice. Although it is an added expense, and its worth
may only be demonstrated if a hack is uncovered, a CIO should retain a
respected consultant to perform an annual data security review, should update
the company’s security to comply with the report’s recommendations and obtain
from the consultant a report confirming that the company has implemented the
most current anti-hacking processes and protections.
Risk
manager involvement. The CIO
should actively coordinate with the company’s risk managers, so that they too
document the company’s compliance with the most recent protective steps for
cyber security.
Cybersecurity
insurance. Cybersecurity risks
are often not included in a commercial general liability insurance
policy. The CIO should review the company’s cybersecurity policy to
ensure that it provides the necessary coverage in the event of a hack and
subsequent regulatory and legal action by the FTC and others. (Raysman &
Morris, 2015).
References
D’Annunzio,
P. J. (2015). FTC ruling will lead to more cybersecurity suits, lawyers say. Pittsburgh Post-Gazette. Retrieved from http://www.post-gazette.com/business/legal/2015/09/15/FTC-ruling-will-lead-to-more-cybersecurity-suits-lawyers-say/stories/201509150004
