Enterprise wake-up call: if you’re not doing enough to protect your customer information, the feds might come after your company for unfair and deceptive practices.
That’s the conclusion of an appellate court this week, who decided that the US Federal Trade Commission (FTC) has the power to sue corporations who don’t take adequate measures to protect customer information from hackers.
The FTC had sued Wyndham Hotels and Resorts over a series of security breaches that led to the compromise of the personal information and credit card numbers of 619,000 customers, to the tune of $10.6 million in fraudulent charges.
It could be argued that Wyndham’s security lapses had been particularly egregious. For example, the FTC contended that it wasn’t even using firewalls, perhaps the first line of defense against cyberattacks.
Firewalls, however, were only the tip of the iceberg. “The idea that you can trust any internal network and consider it to be safe with or without firewalls is completely obsolete,” according to cybersecurity expert Satyam Tyagi, CTO of Certes Networks.
In addition to the lack of firewalls, Wyndham also stored credit card information in clear text rather than encrypting it, failed to address known vulnerabilities, and wasn’t even aware of what computers it had connected to its own network – as well as several other basic lapses that every company must address to have any hope of deflecting an attack.
In fact, the FTC saw this breach as evidence of unfair or deceptive business practices – thus making it worthy of official action. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” FTC Chair Edith Ramirez told Reuters. However, neither the FTC nor the court specified what “reasonable steps” might be.
As a result, this ruling leaves enterprises with a quandary. On the one hand, it introduces a new compliance regime: companies must take reasonable steps to secure customer information, not simply to avoid exposure to customer lawsuits and reputational damage, but also to remain compliant with FTC regulation.
On the other hand, it’s not clear what the FTC’s standard will be for the reasonable steps necessary to ensure compliance. The central question here is whether the occurrence of a breach necessarily proves a company had not taken reasonable steps to prevent such a breach – or whether following some industry standard cybersecurity checklist would suffice, even if a breach were to occur anyway.
The court stated that “The Federal Trade Commission Act prohibits ‘unfair or deceptive acts or practices in or affecting commerce’” was the basis of their decision. Wyndham argued that its lax security measures didn’t constitute unfair or deceptive acts or practices, asserting that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.” However, the court ultimately disagreed with this reasoning.
It seems, therefore, that the occurrence of a breach that exposes sensitive customer information may be sufficient evidence to warrant an FTC action, regardless of whether the company in question believed they were taking adequate steps to prevent such a breach.
As a result, this ruling should be a loud wake-up call for every enterprise struggling with their cybersecurity investments. Every company must weigh the cost of such security with the exposure any potential breach might cause.
Now companies must also consider the risk of an FTC action as well – even if they believe they’ve taken adequate precautions.
Intellyx advises companies on their digital transformation initiatives and helps vendors communicate their agility stories. As of the time of writing, Certes Networks is an Intellyx client. None of the other organizations mentioned in this article are Intellyx customers. Image credit: Jason Bloomberg.