This week’s post was written by Thomas Allen, Senior Security Consultant at Foresite.
The FTC Bureau of Consumer Protection has fired a shot across the bow to otherwise unregulated businesses that engage “unreasonable data security”. In this case Wyndham Hotels and Resorts was accused by the regulatory body of ‘unfairly placing consumers at risk’, specifically the payment card information, by exposing it to hackers in three separate data breaches.
Under the terms of the settlement, the company will establish a comprehensive information security program designed to protect cardholder data – including payment card numbers, names and expiration dates. In addition, the company is required to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.
“This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
Now that the precedent is set, and the courts have affirmed the FTC’s role in cybersecurity, any and all data breaches could be subject to sanction by the FTC. Wyndham’s argument was that the FTC lacked authority to regulate data security standards of commercial entities. The 3rd circuit court of appeals upheld the lower court’s ruling, affirming the FTC’s authority. Wyndham then entered into a 20 year agreement that if they successfully obtain the necessary compliance certifications, they will be deemed in compliance with the comprehensive information security program provision of the order.
Of particular interest in the original suit was that The FTC alleged the defendants violated 15 U.S.C. § 45(a), prohibiting “unfair or deceptive acts or practices,” by representing to consumers that they had reasonable measures in place to protect their personal information against unauthorized access. It’s important to note that if an organization is asserting that they are protecting customer’s information, they had better actually be doing the reasonable things required to make good on that promise.
To see what the FTC thinks are reasonable practices here is a link to a guide for businesses: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business