When the FTC sued hotel group Wyndham Worldwide Corporation in 2012 for failing to protect its customers’ personal information after three data breaches saw hundreds of thousands of consumers’ credit card data stolen and more than $10 million lost to fraud, few would have thought that the case would have the repercussions that it has.
Wyndham appealed, arguing that the FTC did not have the authority to punish it for the data breach because the requirements of 15 U.S.C. § 45(n) – which states that “[An unfair act or practice] causes or is likely to cause substantial injury” – were not met.
On Monday, August 24, the appeal court decided in the FTC’s favor, ruling that the definition of unfairness in 15 U.S.C. § 45(n) does indeed cover poor cybersecurity.
FTC v Wyndham
The court ruling states:
The implication couldn’t be clearer: if you’ve got inadequate cybersecurity and you suffer a data breach, you’d better have deep pockets.
Poor information security an “unfair” business practice
Make no mistake: if your organization collects, processes, or stores personal information then you need to make sure you can guarantee its security – the financial damage caused by a data breach can cause irreparable harm for a business.
An information security management system (ISMS), as prescribed by the international standard ISO 27001, provides an enterprise-wide approach to managing information security risks that encompasses people, processes, and technology.
The external validation provided by accredited ISO 27001 registration will improve an organization’s cybersecurity posture while confirming to stakeholders, suppliers, and staff that best practices are being employed. Moreover, it is also often the case that companies will achieve compliance with a host of legislative frameworks – including state data breach notification laws and federal regulations such as FISMA, the GLBA, HIPAA, and SOX – and international standards like the PCI DSS simply by achieving ISO 27001 registration.
IT Governance’s ISO 27001 Packaged Solutions provide fixed-price ISO 27001 implementation resources and consultancy support for all organizations, whatever their size, sector, or location, from under $600.
With their unique combination of standards, books, toolkits, software, training, and online consultancy, these implementation packages provide US organizations with all they need to implement the Standard, ensure their cybersecurity, and avoid crippling lawsuits.