A recent US appeals court ruling has set a new data protection precedent, giving the Federal Trade Commission (FTC) the power to hold companies responsible for data breaches resulting from security negligence.
Essentially, federal and state laws for notification and response have now officially been established to protect consumers in the case of a data breach.
The most recent data breach ruling, FTC v. Wyndham, has taken the consequences of data breaches beyond bad publicity – and pushed them to greater legal and financial levels. As a result, enterprise groups that have their systems or customer data compromised can be held accountable regardless of how the breach occurred in the first place.
The Facts at a Glance: FTC v. Wyndham
For several years, the Federal Trade Commission (FTC) has been locked in a lawsuit with Wyndham Worldwide regarding a series of data breaches.
Between April 2008 and January 2010, hackers breached Wyndham’s network on three separate occasions, and accessed the personal and financial data of over 600,000 customers. The FTC investigated the data breaches, and in 2012, commenced legal action against Wyndham.
The FTC fought to prove that Wyndham failed to take necessary measures to protect consumers from security threats, and ultimately held the company responsible for a number of oversights:
- Allowing partner hotels to store credit card information in plain text
- Accepting easily guessable passwords in property management software
- Failing to use firewalls to limit access to the corporate network
- Not restricting third-party vendors from access to its network.
The ruling sets a data protection precedent that gives the FTC power to hold companies responsible should they fail to reasonably protect consumers via proper enterprise security measures.
What are the Implications on Data Protection Precedents?
The US Chamber of Commerce and National Federation of Independent Business stood with Wyndham Worldwide against the FTC. Reports show that these organizations believe the FTC is overstepping its jurisdictional boundaries in trying to control security in the business world.
However, the appeals court ruled in favor of the FTC. This is a major wake up call for companies that haven’t taken the right measures to protect consumer data. It will take time, but eventually the FTC will establish a concrete set of enterprise security guidelines for all companies to abide by.
In addition to a specific set of guidelines, Paul Rosenzweig of Lawfare identified a number of other potential implications resulting from the ruling:
- Any consumer-facing organization in the US that is currently subject to the FTC general consumer protection jurisdiction is now subject to the FTC’s security regulations.
- This ruling does not require the FTC to lay out concrete enterprise security guidelines. The FTC can provide an adequate notice of requirements through the enforcement process.
- The FTC standards are the now de facto minimum for corporate America.
- Many companies will treat the FTC standards as the maximum enterprise security measures necessary. Meeting these standards will likely provide companies with a safe haven legally.
There’s no doubting that 2015 will be remembered as a year of note in setting data protection precedent. Earlier in the year, the Obama administration passed the Personal Data Notification and Protection Act to protect consumers in the case of data breaches.
Now, the FTC has assumed control of corporate security standards. Organizations of all sizes will be held accountable for securing private data – regardless of how data breach occurred, and it’s time to make sure you’re prepared for the latest threats.
