Are You Ready for the Next Data Breach? The FTC, Privacy Policies, and Data Protection
If your business collects customer data, do you have proper security measures in place to protect that data? Since 2005, the Federal Trade Commission (FTC) has pursued administrative actions against companies with deficient cybersecurity. The rise of serious data breaches has caught the notice of the FTC, causing it to increase its consumer protection enforcement activity.
A recent ruling by the U.S. Court of Appeals for the Third Circuit, FTC v. Wyndham, affirms the FTC’s authority to take actions against companies that have unfair or deceptive cybersecurity practices. It is more critical than ever that businesses implement measures to adequately protect their customer data, prepare response plans in case the data is compromised, and ensure that their privacy policies accurately reflect the level of protection they provide.
The Wyndham Decision
- Allowing hotels to store payment card information in an unencrypted format;
- Using “easily guessed passwords” for its property management systems;
- Failing to use firewalls or other “readily available security measures;”
- Allowing connection to its network without taking “appropriate cybersecurity precautions;”
- Failing to “adequately restrict” access to its network;
- Failing to employ “reasonable measures to detect and prevent unauthorized access”; and
- Failing to follow “proper incident response procedures.”
What Should Businesses Do?
In addition to meeting the promises made in its policies, a business must maintain “reasonable and appropriate” data security measures. Unfortunately, the Third Circuit in Wyndham affirmed that the FTC does not have to define what “reasonable and appropriate” means; it can provide adequate notice of what is required under the law through its enforcement process. Furthermore, the FTC can pursue acts that are likely to cause substantial injury even if no breach or injury has actually occurred. Therefore, it is imperative that businesses periodically review the complaints that the FTC files against businesses and consult the FTC’s prior consent decrees to determine what is required under the law and implement new measures to best protect consumers’ security.
Taking into account what the FTC considers proper measures, businesses should investigate potential cybersecurity gaps and work with technology staff to determine whether their practices cover those gaps. Per the Wyndham decision, businesses should at least:
- Have firewalls at critical network points;
- Encrypt certain customer files;
- Restrict specific IP addresses;
- Change the default or factory-setting passwords; and
- Have a breach response plan in place for when a breach does occur.
Investigation and implementation of proper measures will require attention to detail, a strong IT department, and counsel that is knowledgeable on cybersecurity principals. In addition to an understanding of the legal issues and minimizing liability, a business may benefit from the attorney-client privilege that comes with consulting an experienced attorney.
In 2007, the FTC issued a guidebook, Protecting Personal Information: A Guide for Business, which describes a checklist for creating a “sound data security plan.” While the guidebook does not state what is required under the FTC Act to be compliant with the law, it is a beneficial resource for determining what the FTC considers inadequate data security measures.