An appeals court has silenced any questions about whether the Federal Trade Commission (FTC) should have the authority to punish companies for security breaches.
The decision in FTC v. Wyndham Worldwide Corp. solidifying the FTC’s data security authority stems from a series of hacks of Wyndham’s computer systems in 2008 and 2009. The personal and financial data from more than 619,000 customers was stolen, resulting in more than $10.6 million in fraudulent charges. Text of the opinion is available here: http://www2.ca3.uscourts.gov/opinarch/143514p.pdf
The FTC filed suit in June 2012, alleging that Wyndham had engaged in “unfair and deceptive” cybersecurity practices since 2008 that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
Wyndham challenged the FTC’s authority to regulate data security issues under the “unfairness” prong of the FTC’s consumer protection powers, and the Third Circuit answered with a resounding “yes.” The ruling also gave the go-ahead on the lawsuit against Wyndham.
“While the FTC has been active in seeking to address data security issues, this is the first major ruling confirming that it has the authority to do so,” Michael Hindelang, head of the data security/privacy litigation and e-discovery/information management practice groups at Honigman Miller Schwartz and Cohn, told Legaltech News.
Hindelang predicted that the FTC will likely “look to increase its regulatory activity in this area now that its authority has been upheld. Accordingly, companies that don’t adequately protect their customers’ data run the risk of having their behavior deemed an unfair trade practice by the FTC.”
As ARMA International reported in May 2015, the U.S. Justice Department on April 29 released a guidance document outlining best practices for companies developing a response plan or reacting to a data breach. The guidance, drafted by the Justice Department’s Cybersecurity Unit, reflects “lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals' tactics and tradecraft can thwart recovery.”
The key of course, is to conduct as much planning as possible before a breach takes place. By defining a process in advance that clearly defines roles and responsibilities for all players in a breach response, an organization can respond quickly and efficiently within pre-established parameters. A resource available from ARMA International will help organizations identify the data breach laws they must comply with. Titled Comparison of Data Breach Laws Across the United States - Job Aid, this document is available for purchase through the ARMA International online store at www.arma.org/bookstore.