There’s a New Compliance Cop in Town: The FTC

Every CIO needs to stand up and take notice. There’s a new compliance cop in town – and it’s not just for health care, financial or credit card information – it’s for any company that holds personally identifiable information (PII) on their servers.

On Monday, a Federal Appeals Court ruled the Federal Trade Commission (FTC) has the power to take action against companies that employ poor IT security practices. Over a year ago, we talked about the US District Court ruling which has been upheld by the Federal Appeals Court.

In a statement, the FTC’s Chairwoman Edith Ramirez said “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC says that the decision upholds the commission’s authority to bring data security cases under the provision of Section 5 of the FTC Act that outlaws unfair acts or practices in or affecting commerce.

So what does this mean to CIO’s? If you hold PII on your servers, you are now accountable to the FTC. Unlike HIPAA regulations where the fines are large, but defined, the FTC can sue anyone under this new ruling without a cap on damages if they feel you are not taking reasonable steps to secure sensitive consumer information.

How do you define reasonable? That’s always one of the favorite things that attorneys like to argue about, but certainly implementing the security standards required by the HITECH and HIPPA laws or compliance with PCI-DSS (Payment Card Industry Data Security Standards) could be construed as reasonable protection for PII.

Another way to demonstrate reasonable steps for securing your data is to leverage a secure, compliant cloud hosting provider to secure your data, servers and network. With years of experience securing sensitive patient information, credit card data and financial information, we have the secure architecture, trained specialists and audited processed to keep your data safe and keep the regulators at bay.