Is the FTC enforcing better cybersecurity for data protection in non-regulated industries?

Those of us working in the security and compliance world are very aware of the data privacy rules and enforcement in different regulated industries:

• Health and Human Services (HHS) and its Office of Civil Rights (OCR) have broad authority over protected health information (PHI) through HIPAA and HITECH acts with significant fines for breaches of PHIO data by the holders of that data.
• Sarbanes-Oxley (SOX) put teeth into protecting and securing financial data for publicly traded companies and a broad array of companies in the financial industry.
• Visa and MasterCard have driven businesses that touch payment cardholder data (CHD) to secure ecommerce transactions data through Payment Card Industry – Data Security Standards (PCI-DSS) with significant fines and penalties built into their contracts for data breaches.

In addition to these familiar players, a new ranger has shown up to the scene and established a stake in investigating and holding companies accountable for protecting data.

Until the recent ruling by the U.S. District Court of New Jersey, many of us in the data security and compliance world haven’t given much thought to the Federal Trade Commission (FTC) and its authority over both regulated and non-regulated industries when it comes to cybersecurity and data protection.

It may come as a surprise that there have been over 50 cases where the FTC has stepped in and extracted settlements from companies that have had data breach incidents. Now the U.S. District Court has affirmed the FTC’s broad authority to take actions against companies who have had lapses in data security – and more specifically when those lapses have involved breaches of personally identifiable information (PII) that companies hold on their servers and in their databases.

Apparently, this applies not just to regulated industries, but to non-regulated industries as well. Any company that holds PII can be the subject of an FTC action if they are not properly securing that data.

This was the case for Wyndham Worldwide Corporation in its claims against the FTC. They argued that they were not in a regulated industry and that the FTC couldn’t arbitrarily decide to prosecute them. Under Section 5 of the FTC Act, the FTC can go after companies that engage in unfair or deceptive acts. The court ruled that a company engages in unfair acts or practices if the company’s data security practices cause or are likely to cause substantial injury to consumers that is:

1. neither reasonably avoidable by consumers;
2. nor outweighed by countervailing benefits to consumers or to competition.

In Wyndham’s case, the FTC went after them because they failed to use readily available security measures, establish good security policies and procedures, keep their systems patched to fix known security problems, and lacked the ability to detect and respond to intrusions. The result of Wyndham’s lax cybersecurity was multiple data breaches between 2008 and 2010 and the theft of credit and debit card numbers of hundreds of thousands consumers by cybercriminals.

The U.S. District Court confirmed the FTC’s authority to pursue a broad range of companies that don’t fall under industry-specific regulations.

The moral of the story seems to be – if you are holding ANY type of personally identifiable information (PII) data on your servers or in your databases, the government is expecting you to properly secure that data. Now the U.S. District Court has just given the FTC the teeth to enforce those expectations for data privacy and security.

RELATED

Webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

Last week, IT privacy and security attorney Tatiana Melnik (left) dove into the implications for businesses storing personal customer information as FTC enforcement becomes increasingly stringent. Check out a replay and download the slides from that webinar.