Organizations with Inadequate Data Security Practices Can Be Sued by the FTC

Yet another reason to step-up your security practices to protect your customer information… the FTC can sue you if you don’t!

The FTC collects complaints about hundreds of issues including data security, and makes them available to law enforcement agencies for follow-up.  In recent years, they have sued two companies for failing to protect consumer data.  In 2015, the FTC sued LifeLock for violating a 2010 settlement with the commission and 35 state attorneys general by “continuing to make deceptive claims about its identify theft protection services and by failing to take steps to protect users’ data.”  In 2012, the FTC filed a lawsuit against Wyndham hotel for three separate data breaches that took place in 2008 and 2009, exposing credit card information from more than 619,000 customers and leading to more than $10.6 million in fraudulent charges.  The suit claimed that Wyndham engaged in “unfair” and “deceptive” practices in violation of 15 U.S.C. Sec. 45(a).  Wyndham said it was a victim of the hacks and should not be penalized, and they challenged the FTC’s authority to enforce cybersecurity standards.

This week, the U.S. Court of Appeals for the Third Circuit (in Philadelphia) upheld the FTC’s 2012 lawsuit against Wyndham, “reaffirming the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” according to agency Chairwoman Edith Ramirez.  The Opinion Statement says “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

In the Wyndham case, the FTC spelled out the specific unfair security practices in which the company engaged that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft” (quoted and abbreviated below from the Opinion Statement).

1. Allowed Wyndham-branded hotels to store payment card information in clear readable text.
2. Allowed easily guessed passwords to access property management systems.
3. Failed to use “readily available security measures” – such as firewalls – to limit access between the hotels’ property management systems, corporate network and the Internet.
4. Allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions (including adequate information security policies and procedures, security updates, changing default user IDs and passwords, and managing devices connected to the network)
5. Failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels.
6. Failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.”
7. Did not follow “proper incident response procedures.”

Whether the data you store is related to patients, consumers, customers, clients, or employees, your business is responsible for protecting their private information.  HIPAA regulations require administrative, physical and technical safeguards to assure the confidentiality, integrity, and availability of electronic protected health information, and impose breach response requirements and stiff fines upon healthcare practices for a breach of patient information.  The Gramm-Leach-Bliley Act (GLBA) ensures that financial institutions protect consumers’ financial information.  Sarbanes-Oxley Act (SOX) improves financial disclosures from corporations and prevents accounting fraud.  Amendments to Rule 1.6 of the Model rules of Professional Conduct require lawyers to safeguard information related to the representation of the client and to take reasonable precautions to prevent it from coming into the hands of unintended recipients.  State laws regulate breaches of personal information including credit card information and human resources records.  The FTC is also on board to protect consumer information through enforcement of Section 5 of the Federal Trade Commission Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.”

The impact of a data breach is far-reaching.  If your company does not use adequate IT Security measures and your data is breached, you’ll face the costs of notifying the clients whose data was breached, (notifying the media and HHS in the case of a HIPAA breach), investigating and controlling the breach, possible litigation and fines, as well as intangible costs such as damage to your company’s reputation and loss of business.  The impact to your clients is also severe, including facing identity theft and credit card fraud that can affect them for the rest of their lives.  Now, if your company does not use appropriate data security, your company also faces being sued by the FTC!

What is your company doing to protect your client information?  Big Idea Technology can help your company do a network assessment and a risk assessment to determine where your security is lacking, and help you to protect your data.  Call us to get started!