Taking action against companies that have failed to enact strong cybersecurity measures is nothing new for the U.S. Federal Trade Commission (FTC). The independent agency, charged with the promotion of consumer protection and elimination and prevention of anticompetitive business practices, has been filing such claims for years, initiating (and settling) more than 50 cases against organizations for cybersecurity issues over the last decade, according to FTC spokesperson Jay Mayfield.
However, a unanimous decision by the Third U.S. Circuit Court of Appeals appears to have strengthened the agency’s authority to pursue cases against companies for not establishing adequate cybersecurity protocols, or failing to follow specific procedures to limit and mitigate damages, says Jane LeClair, chief operating officer at the National Cybersecurity Institute at Excelsior College in Washington, D.C.
In August, the Third U.S. Circuit Court of Appeals ruled the Federal Trade Commission was permitted to proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. bore some responsibility for three security breaches between 2008 and 2010, during which hackers allegedly stole more than 619,000 credit- and debit-card numbers.
Not surprisingly, Wyndham and security experts argued that because the FTC has not specified clear guidelines for what would constitute adequate security, there is some ambiguity in terms of what would constitute a breakdown or lapse in security that is punishable via prosecution by the agency. "It’s a little bit of a moving target, because there are no regulations to look up, or there are no defined set of protocols to look up which will necessarily tell you what to do," says Scott Vernick, a partner and head of the data security and privacy practice at Philadelphia law firm Fox Rothschild LLP. "So when the FTC comes knocking, it’s always a retrospective or hindsight look."
Vernick says because the FTC has published the results of past prosecutions and settlements, companies should have a reasonably clear indication of the agency’s cybersecurity expectations. Furthermore, in June, the FTC released "Start With Security," a guide for businesses that includes 10 practical lessons to be learned from the FTC’s previous 50 settlements.
Cybersecurity experts have welcomed the August ruling, noting that corporations have a responsibility to protect consumer data, and stricter regulation and penalties are the strongest means available to compel companies to act.
"There’s not a lot of leverage the government has when companies have really [inadequate] security," says Bruce Schneier, a security technologist and Fellow at the Berkman Center for Internet and Society at Harvard Law School. "Ashley Madison is a great example; they lied, they had horrible security, and lots of people are paying very high prices for it. A government lever against that sounds like a good thing. Could it be a problem? Yes. Everything government does ever since government was invented could be a problem; it doesn’t mean we throw away government."
While there are always concerns about overregulation—Vernick says any specific cyber regulations that become law may put a significant financial compliance burden on small and medium-sized companies—the National Cybersecurity Institute’s LeClair says consumers’ data must be protected.
"We have two sides to this coin, which are both pretty vocal," LeClair says. "One side is saying that this is a slippery slope, and we’re giving the FTC too much opportunity to [prosecute companies for cyber-breaches]. The other side is saying, ‘Geez, this is happening every day. Organizations are not doing enough to ensure the safety of customer data’."
Vernick adds that in the absence of sector-specific cyber regulations, which are already in place for the financial industry (via the U.S. Securities and Exchange Commission) and the utility industry (via the U.S. Department of Energy), the FTC has generally looked at how companies have managed three key issues: the type of data collected, how long the data is kept, and which parties have access to the data. "If you think back to every data breach, it all comes back to those three questions," Vernick says. Examples include the Target Corp. breach, in which a contractor had access to the company’s payment card database; a file containing sensitive personal data passwords labeled "passwords" at Sony; and the Avid Life Media (Ashley Madison) breach, in which user data supposed to be deleted was retained on the company’s servers.
The security experts agree on the importance of robust data security policies, and that the actions taken prior to, during, and after a breach must align with those policies. Vernick adds that large or small, businesses likely will continue to see the FTC looking closely at their cybersecurity issues, emboldened by its latest court victory.
"I think that the FTC will feel the full wind behind their sails, and bring more companies into its crosshairs," Vernick says. "If you look at what the FTC has done in the past, they don’t discriminate between small, medium, or large companies."
Keith Kirkpatrick is principal of 4K Research & Consulting, LLC, based in Lynbrook, NY.