If you do not want to become the next data breach headline and face the scrutiny of government regulation, then your business better improve its privacy policies and information security.
Why? Because just days ago, a U.S. appeals court ruled that the Federal Trade Commission has authority to regulate corporate cybersecurity, including the failure to safeguard the personally identifiable information of consumers. Specifically, the FTC sued the hotel and time-share operator Wyndham Worldwide in June 2012, claiming that “the company’s computer systems unreasonably and unnecessarily exposed consumer data to the risk of theft.”
The court case was based on three data breach events in 2008 and 2009 where cybercriminals hacked into Wyndham’s computer system. Forensic investigators and law enforcement found that these hackers stole credit card and other personal information from more than 619,000 customers, resulting in $10.6 million in fraudulent charges for affected Wyndham customers. The Wyndham case is a significant tipping point, as the FTC is emerging as the federal government’s national privacy and data security regulator. In fact, PCWorld.com went with the headline “Court: FTC can bring down the hammer on companies with sloppy cybersecurity.”
Another aspect to the Wyndham court ruling was about overpromising to current and future customers about what Wyndham said would be done to prevent such events and how well the company lived up to that promise. Overpromising appears to be as important as, or even more important, to this ruling than the actual hacking events that resulted in stolen customer information and fraudulent charges. Wyndham states that they protect “customers’ personally identifiable information by using standard industry practices,” and take “commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards.” The FTC complaint states that Wyndham did not live up to those commitments.
Wyndham takes a completely different position. “We continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Wyndham said in a statement.
"With the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries," the Wyndham statement said. The FTC said it welcomed the court ruling, saying it "reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data," agency Chairwoman Edith Ramirez said in a statement. "It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."
Mark's Most Important: Safeguarding consumer data is an FTC priority. Ensure that your company creates, maintains and follows through on its privacy and information security policies to secure sensitive customer and employee data.
This article was originally published on AZcentral.com and republished with the author's permission.
Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.