The Federal Trade Commission (FTC) has the power to punish organizations that fail to invest in and deliver robust online security measures, according to ruling by the US Court of Appeals for the Third Circuit. Responding to the ruling, Edith Ramirez, chairwoman of the FTC, said that the decision “reaffirmed” the commission’s view on the matter. She went on to say: “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
According to ESET security researcher Stephen Cobb, who was involved in the first FTC data security case, the FTC has long held that it possesses what Ms Ramirez has described as “authority to hold companies accountable for failing to safeguard consumer data”. Referring to the FTC case against pharmaceutical giant Eli Lilly settled in 2002, Cobb notes that ever since then, companies have been on notice that FTC action is a possible consequence of a data breach: "Only 669 people were affected in that case, but the FTC used it to establish ground rules which have pertained ever since, from following secure software development procedures to holding companies accountable for claims they make about protecting cusotmer privacy."
While an FTC settlement might not involve a fine, Cobb says it can mean many years of being "on probation", including FTC oversight of the company's security and provicy practices, audited by a CISSP or similar.
The FTC, which was founded in 1914 with the mission of protecting consumers against unfair business practices, said that this latest decision also reaffirms a previous federal district court ruling. That decision, from last year, supports the commission’s understanding of its power to ‘bring data security cases under the provision of Section 5 of the FTC Act, which concerns “unfair acts or practices” that have an impact on commerce. This new ruling suggests that lax cybersecurity efforts are indicative of this poor practice and can be pursued as such.
For the FTC, this decision has been a long time coming, originating in a complaint it filed against Wyndham Worldwide Corporation in 2012 for what it said was a “failure to protect consumers’ personal information”. The commission said at the time that three significant data breaches in less than two years was reflective of "inadequate security procedures” and commented that "Even after faulty security led to one breach...Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures."
Cobb recommends that CEOs and CISOs consult with legal counsel to be sure that the implications of this ruling are well understood. Says Cobb: "The negative publicity of an FTC action is the last thing your company wants to experience, particularly on the heels of a data breach when you are trying to restore the trust and goodwill of the cusotmers and the market."