computer security

Learn about the new FTC ruling, and what it might mean for you. 

Brandon Bastian, SecurityMetrics
By: Brandon Bastian
Keep the Federal Trade Commission (FTC) on your radar because a recent court ruling may send ripples through the world of computer security.

The recent court ruling involving the FTC and Wyndham Worldwide Corporation concluded the FTC has the ability and authority to sue companies for computer security failures that result in substantial harm to consumers.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

What does the ruling mean?

computer security
Since 2005, the FTC has brought administrative actions against companies over lack of cyber
security, but the majority of those cases settled before going to court. Wyndham went to court, lost and then appealed, which led to the ruling that the FTC can sue companies that don’t have proper data security.

But there are limitations. The FTC prohibits unfair practices that affect commerce and has the power to sue companies that violate that prohibition. The FTC can determine a practice is unfair if:
  1. Consumers were substantially hurt by the hack (e.g., credit card data stolen, consumer information stolen, etc.).
  2. Consumers could not avoid this harm. In this case, the company in question claimed to have proper security, but didn’t (e.g. no firewalls, weak usernames and passwords, etc.).
  3. The practice by the company was not outweighed by other benefits to the consumers.
So, if a company promised industry-standard security measures to consumers but didn’t follow through, and they are hacked, causing substantial harm to consumers, the FTC can take legal action. In Wyndham’s case, the court found the company was hacked three times but didn’t change anything, which is what likely prompted the FTC to sue.

Generally, this ruling may be more applicable to larger businesses that suffered broad hacks that could’ve been prevented. It’s also probable the FTC is more likely to target large hacks that substantially harmed consumers.

What about PCI DSS compliance? 

What does the FTC ruling have to do with PCI compliance? Well, not much, technically. Even with this ruling, the FTC still doesn’t have the power to regulate security to prevent hacks, but the FTC may recognize industry standard security measures. The PCI DSS is an industry standard set of data security rules, and if you follow it, you’re less likely to get hacked. But, even if you’re hacked, following an industry standard in security may lessen the likelihood that the FTC would seek action against you.

FTC rulingThe FTC can’t require companies to adopt fair information practices (i.e., become PCI compliant). So if a company isn’t PCI compliant, the FTC can’t sue merely over that issue. Currently, only after an attack can the FTC get involved.

In Wyndham’s case, the attack was so severe because Wyndham had little to no computer security. Some of the mistakes Wyndham made were:
  • No firewalls
  • Lack of policy implementation
  • Weak usernames and passwords
  • Unencrypted credit card data storage
  • Didn’t act after they were hacked three times with the same malware
The biggest mistake may be that Wyndham didn’t follow their privacy policy.

A privacy policy documents the ways a company gathers, uses, and stores client information. It’s supposed to show customers what the company is doing with their data. Wyndham made multiple claims that they had a multitude of security measures in place on behalf of their client’s data, when they actually didn’t. For example, Wyndham said they had firewalls, but didn’t.

Becoming PCI compliant can help take care of these easy-to-fix security problems, which might keep you from an FTC lawsuit after a breach.

SEE ALSO: PCI—You Don’t Have to be Perfect

You really should take this ruling seriously. Possible FTC lawsuits add to the growing expenses a company may face after a breach happens. These expenses can include:
  • Class-action lawsuits from consumers
  • Fines from the card brands
  • Administrative costs to replace cards
  • Cost of notifying consumers of breach
  • Credit reporting and monitoring for consumers

What actions should companies take to avoid being sued for lack of cyber security?

The threat of an FTC lawsuit is just another incentive to update your computer security practices.
My recommendations include:
  • Update and follow private policies
  • Strengthen usernames and passwords (e.g., don’t use your username as your password)
  • Use two-factor authentication
  • Use firewalls
  • Install and update anti-virus software
  • Change passwords and usernames if a breach happens
  • Work on becoming PCI compliant instead of just checking SAQs boxes 
SEE ALSO: 5 Commonly Overlooked PCI Security Errors

Up your security or pay the price

This ruling should motivate you to have stronger security, especially since hackers are attacking more frequently, and lawsuits are likely to increase rather than decrease. Cyber attacks are also attracting government attention. More government organizations may be able to sue in the future if companies don’t resolve their computer security issues.

Don’t become lax with computer security, or it can come back to bite you in more ways than one.

Brandon L. Bastian has served as SecurityMetrics’ Corporate Counsel since October 2012. Bastian has experience managing complex commercial litigation, resolving legal disputes, drafting and negotiating business agreements, cyber law, and regulatory law. Bastian’s practice involves supporting his client’s objectives while limiting risk using business strategies and the Business Judgment rule. He holds a B.S. in Biology and a J.D. from Brigham Young University. During law school, Bastian worked for Workman Nydegger as a summer associate.

PCI DSS learning center, SecurityMetrics