In another win for consumer protection, the Third Circuit has ruled that the Federal Trade Commission has the authority to regulate cybersecurity under the “unfairness prong” of the Federal Trade Commission Act. The Court set this precedent in Federal Trade Commission vs. Wyndham Worldwide Corporation. In Wyndham, the FTC alleges that defendant’s computer systems were hacked three times between 2008 and 2009 and that taken as a whole these actions “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Specifically the FTC alleged that the company stored payment information in clear readable text, used default passwords, had an inadequate inventory of the computers with access to their network, and did not take adequate measures to protect against or respond to the incidents.
This case made its way to the Third Circuit on appeal of the District Court’s denial of the defendant’s motion to dismiss. The Court made quick work of the defendant’s arguments to find that the FTC had the authority to regulate cybersecurity - offering a potential answer to the public outcry for federal regulation on the topic. Now the interesting works begins, which is likely to create more questions than it answers. Will we see the FTC championing cybersecurity regulation on par with HIPPA? Now that the FTC’s authority is firmly entrenched, they will undoubtedly begin the rule making process.
On March 3, 2015, Jessica Rich, Director of the Bureau of Consumer Protection, gave a glimpse into the thought process of the FTC. Specifically the agency aims to address three high-level areas: big data, mobile, and sensitive information. On big data, the FTC’s “… central message is that, even in the face of rapidly changing business models and technologies, companies still need to follow the fundamental privacy principles – including; don’t collect or retain more data than you reasonably need, tell consumers how you plan to use and share their data, give consumers choices about their privacy, and protect data from unauthorized access.”
On the topic of mobile, Ms. Rich appears to be struggling with the same issues as much of the industry. Her comments on the topic are short and to the point: “… we’ve issued several reports about kids’ apps, mobile privacy disclosures, and mobile payments. These reports stress the need for privacy by design, transparency, and easy-to-exercise choices for consumers.” As broad as this statement is, she stresses that mobile will be a key focus for the FTC throughout 2015. She quickly moves on to the protection of sensitive information.
She starts by reiterating the agency’s commitment to privacy protection: “protecting sensitive data isn’t really a new priority – it’s one of the original priorities we started with at the very beginning of our privacy program.” Beyond that, the specifics of the goals are rather light, but she is quick to point out that the agency’s “… work to protect sensitive data also includes 55 cases to date against companies that failed to implement reasonable security protections…” One of those companies undoubtedly being the defendant in this case.
For the millions of consumers who are already victims of these data breaches, the damage is done. But now they have a powerful advocate in their corner to help fight for the protection of sensitive data going forward.
Darren Greaney is general counsel at Digital Guardian.
A Data-Centric Approach to Federal Government Security
Learn how government agencies can design and execute a strategy that ensures security travels with the organization’s sensitive data.
Related ArticlesYou’ve already been victimized by Yahoo!’s massive breach
The theft of an estimated one billion user accounts from Yahoo! was big news on Wednesday. But for Yahoo! users, the damage from the 2013 incident has almost certainly already been done.At Anthem: Where There’s Fire, There’s Smoke
After losing 80 million patient records, Anthem Healthcare is refusing to have its network scanned for vulnerabilities by a federal auditor, raising questions about the health insurer’s internal practices.Phishing Attack Compromises Data Belonging to 30K Florida Medicaid Patients
Information, including patients' date of birth, Social Security number, address, Medicaid ID, and diagnoses, may have been breached.