Home of internet privacy

US corporations that skimp on cybersecurity now subject to FTC regulation

NOTE: This post was originally published on September 17, 2015

A US appeals court has recently ruled that the Federal Trade Commission now has the authority to regulate corporations’ cybersecurity.

This means the FTC can tell corporations what measures they must take to protect their customers’ data, and it can levy criminal charges against corporations that don’t comply.

The case concerns Wyndham Worldwide Corp, which owns major budget hotel franchises like Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge. In 2008 and 2009, three security breaches resulted in 619,000 customers’ credit card details being leaked to hackers.

The damage? US$10.6 million in fraudulent charges.

No Opposition. None.

The unanimous decision by the Third US Circuit Court of Appeals in Philadelphia upheld the same ruling from a lower court made in April this year, which allows the FTC to move forward on its case. The ruling is the most high-profile win yet for the FTC when going after companies with deficient cybersecurity. The agency has brought forth such actions against corporations since 2005, but most end in settlements or consent orders and don’t really suffice as legal precedent.

The FTC won the case under the 1914 consumer protection law that led to the creation of the agency itself. The court said insufficient cybersecurity can be deemed unfair “if the practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The court ruled Wyndham’s privacy policy failed to make good on its promise, exposing customers to substantial financial injury. Wyndham argued that it did not have fair notice of what the FTC expected of it. The court rejected that argument, adding that the FTC in 2007 published a guidebook for businesses on protecting customers’ personal information. The book included a checklist of practices that form a sound data security plan.

Unclear Standards

The ruling is a bit of a double-edged sword. On one hand, the FTC can now enforce stronger cybersecurity standards for corporations, in turn better protecting consumers. Companies must ensure that their privacy policies are accurate and, if they promise to safeguard information using industry standard practices, they must stay updated with those practices.

On the other hand, the exact standards are hazy. It’s now up to the FTC to determine what constitutes reasonable cybersecurity measures. Unfortunately, cybersecurity could be a space that evolves faster than the wheels of the government can turn. A set of standards laid out today could be insufficient tomorrow.

Many questions remain regarding the FTC’s newly awarded power. Who exactly will set cybersecurity standards? The government? A badge-awarding third-party alliance? Will small businesses be required to invest in the same levels of security as big corporations?

No matter the outcome, customers are ultimately responsible for protecting themselves. Actually reading through a company’s privacy policy and not blindly hitting the “accept” button is a good start. Performing due diligence on a company’s security measures and familiarizing oneself with current IT security technologies is also step in the right direction.

 

Featured image: pio3 / Dollar Photo Club