The Federal Trade Commission (FTC) has made ground breaking progress in the war on cybercrime, which means the distinction between the real and digital realm is now so fuzzy that the same law can be applied to both. The FTC has been able to enforce an authority within their act which allows them to specifically target a company that does not protect their customers’ digital information properly.
The specific clause within the act is:
…an unfair act under Section 5 are those that "cause or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition."
Wyndham’s challenge to the ruling was that the FTC has effectively overridden current security legislature, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPPA). Wyndham said that the FTC should be publishing rules and regulations to allow companies to follow the directive. However the court dismissed this premise.
What Does This Mean for U.S. Companies in General?
Like it or not, the planets are aligning around the enforcement of cybersecurity protection, especially around consumer data. The United States Federal Government has this year initiated a bill named the Cyber Security Information Sharing Act (CISPA) in recognition of the avalanche of security incidents happening across the USA and worldwide. The FTC win against Wyndham shows the appetite for legal redress of lax security attitudes towards consumer data.
Until now the protection of user data has been handled through a suite of security legislation, such as HIPPA and PCI-DSS, as well as state level security laws of which there are currently 47. This has created a mosaic of regulations, often confusing and many times poorly adhered to. Recent breaches of Personally Identifying Information (PII) such as the Anthem breach, which lost 80 million customers accounts to cybercriminals, show this scatter gun approach to data security is not working. In fact, it seems that Anthem was HIPPA compliant, but the FTC has now decided to prosecute Anthem using the same arguments as the Wyndham case.
The realization that compliance does not equate to security is dawning on us all in the wake of mass cyber-attacks and the change from closed commercial networks to more open and Cloud based working patterns.
The problem comes down to the fact that the cyber security landscape is a moving target. The changes we have seen in the last few years have shown us that the attacks are getting more and more complex. Our firewalls and anti-virus products, mandated by security legislation, just can’t control the tidal wave of cybercrime.
The court document outlining the Federal Trade Commission vs. Wyndham Worldwide Corporation can be found here: http://www2.ca3.uscourts.gov/opinarch/143514p.pdf