Learn about the new FTC ruling, and what it might mean for you.
|By: Brandon Bastian|
The recent court ruling involving the FTC and Wyndham Worldwide Corporation concluded the FTC has the ability and authority to sue companies for computer security failures that result in substantial harm to consumers.
SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?
What does the ruling mean?
security, but the majority of those cases settled before going to court. Wyndham went to court, lost and then appealed, which led to the ruling that the FTC can sue companies that don’t have proper data security.
But there are limitations. The FTC prohibits unfair practices that affect commerce and has the power to sue companies that violate that prohibition. The FTC can determine a practice is unfair if:
- Consumers were substantially hurt by the hack (e.g., credit card data stolen, consumer information stolen, etc.).
- Consumers could not avoid this harm. In this case, the company in question claimed to have proper security, but didn’t (e.g. no firewalls, weak usernames and passwords, etc.).
- The practice by the company was not outweighed by other benefits to the consumers.
Generally, this ruling may be more applicable to larger businesses that suffered broad hacks that could’ve been prevented. It’s also probable the FTC is more likely to target large hacks that substantially harmed consumers.
What about PCI DSS compliance?What does the FTC ruling have to do with PCI compliance? Well, not much, technically. Even with this ruling, the FTC still doesn’t have the power to regulate security to prevent hacks, but the FTC may recognize industry standard security measures. The PCI DSS is an industry standard set of data security rules, and if you follow it, you’re less likely to get hacked. But, even if you’re hacked, following an industry standard in security may lessen the likelihood that the FTC would seek action against you.
The FTC can’t require companies to adopt fair information practices (i.e., become PCI compliant). So if a company isn’t PCI compliant, the FTC can’t sue merely over that issue. Currently, only after an attack can the FTC get involved.
In Wyndham’s case, the attack was so severe because Wyndham had little to no computer security. Some of the mistakes Wyndham made were:
- No firewalls
- Lack of policy implementation
- Weak usernames and passwords
- Unencrypted credit card data storage
- Didn’t act after they were hacked three times with the same malware
Becoming PCI compliant can help take care of these easy-to-fix security problems, which might keep you from an FTC lawsuit after a breach.
SEE ALSO: PCI—You Don’t Have to be Perfect
You really should take this ruling seriously. Possible FTC lawsuits add to the growing expenses a company may face after a breach happens. These expenses can include:
- Class-action lawsuits from consumers
- Fines from the card brands
- Administrative costs to replace cards
- Cost of notifying consumers of breach
- Credit reporting and monitoring for consumers
What actions should companies take to avoid being sued for lack of cyber security?
The threat of an FTC lawsuit is just another incentive to update your computer security practices.My recommendations include:
- Update and follow private policies
- Strengthen usernames and passwords (e.g., don’t use your username as your password)
- Use two-factor authentication
- Use firewalls
- Install and update anti-virus software
- Change passwords and usernames if a breach happens
- Work on becoming PCI compliant instead of just checking SAQs boxes
Up your security or pay the priceThis ruling should motivate you to have stronger security, especially since hackers are attacking more frequently, and lawsuits are likely to increase rather than decrease. Cyber attacks are also attracting government attention. More government organizations may be able to sue in the future if companies don’t resolve their computer security issues.
Don’t become lax with computer security, or it can come back to bite you in more ways than one.
Brandon L. Bastian has served as SecurityMetrics’ Corporate Counsel since October 2012. Bastian has experience managing complex commercial litigation, resolving legal disputes, drafting and negotiating business agreements, cyber law, and regulatory law. Bastian’s practice involves supporting his client’s objectives while limiting risk using business strategies and the Business Judgment rule. He holds a B.S. in Biology and a J.D. from Brigham Young University. During law school, Bastian worked for Workman Nydegger as a summer associate.