Court of Appeals ruling: Federal Trade Commission can sue companies for data breaches

OPM cyber attack linked to Anthem and Premera health care breachesOne of the main functions of the Federal Trade Commission (FTC) is to bring legal actions against organizations that have violated consumers’ privacy rights.

When the FTC sued hotel group Wyndham Worldwide Corporation in 2012 for failing to protect its customers’ personal information after three data breaches saw hundreds of thousands of consumers’ credit card data stolen and more than $10 million lost to fraud, few would have thought that the case would have the repercussions that it has.

Wyndham appealed, arguing that the FTC did not have the authority to punish it for the data breach because the requirements of 15 U.S.C. § 45(n) – which states that “[An unfair act or practice] causes or is likely to cause substantial injury” – were not met.

On Monday, August 24, the appeal court decided in the FTC’s favor, ruling that the definition of unfairness in 15 U.S.C. § 45(n) does indeed cover poor cybersecurity.

FTC v Wyndham

The court ruling states:

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The implication couldn’t be clearer: if you’ve got inadequate cybersecurity and you suffer a data breach, you’d better have deep pockets.

Poor information security an “unfair” business practice

Make no mistake: if your organization collects, processes, or stores personal information then you need to make sure you can guarantee its security – the financial damage caused by a data breach can cause irreparable harm for a business.

An information security management system (ISMS), as prescribed by the international standard ISO 27001, provides an enterprise-wide approach to managing information security risks that encompasses people, processes, and technology.

Click here for more free information about ISO 27001 and cybersecurity >>

The external validation provided by accredited ISO 27001 registration will improve an organization’s cybersecurity posture while confirming to stakeholders, suppliers, and staff that best practices are being employed. Moreover, it is also often the case that companies will achieve compliance with a host of legislative frameworks – including state data breach notification laws and federal regulations such as FISMA, the GLBA, HIPAA, and SOX – and international standards like the PCI DSS simply by achieving ISO 27001 registration.

IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.

With their unique combination of standards, books, toolkits, software, training, and online consultancy, these implementation packages provide US organizations with all they need to implement the Standard, ensure their cybersecurity, and avoid crippling lawsuits.

Click for more information >>

ISO 27001 Packaged Solutions