Credit: Gil C / Shutterstock.com
The US Court of Appeals has ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices extends to oversight of corporate cybersecurity efforts -- and lapses. But security experts are split about whether the decision will help improve enterprise security.
"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," said Federal Trade Commission Chairwoman Edith Ramirez in a statement.
Specifically, last week's decision allowed the FTC to take action against Wyndham Hotels and Resorts for failing to reasonably protect consumers' personal information between 2008 and 2010, when hackers broke in three times and stole more than 600,000 bank card numbers.
Together with another court decision this summer allowing class action lawsuits against breached companies, this ruling means that data breaches are about to get a lot more expensive.
Pressure for action
Clearly, given the fact that data breaches keep happening, and are getting more and more destructive, something needed to happen.
"Everyone wants to see more done," said Eric Chiu, president and co-founder at Mountain View, Calif.-based HyTrust Inc., a cloud security automation company. "Allowing companies to police themselves hasn't worked."
According to Chiu, economic and financial motivations aren't enough, companies haven't been policing themselves, and consumers have been paying the price. The FTC's involvement is good news for consumers, he said.
"The government will now be putting greater pressure on companies to put in place the right level of security," he said. "It gives the FTC a lot more power to take action against companies that frankly have weak security practices."
The ruling gives FTC more teeth, and that's a good thing, said Greg Mancusi-Ungaro, CMO at Toronto-based BrandProtect Inc.
It will take time to see whether there's enough teeth, he added.
But the actual fines the FTC levies are just the start, he said, since FTC decisions will also add substantial fuel to class-action lawsuits.
"This opens the door for lawsuits against corporations that can last for years and can cost them a lot of money," confirmed Jason Polancich, founder and chief architect at Sterling, Vir.-based SurfWatch Labs, Inc. "This is a quagmire that businesses can find themselves in if they don't prioritize cyber.'
The decision won't create better security on its own, but it has already sparked discussion in companies, said Gerry Stegmaier, partner in the privacy and data security practice at Boston-based Goodwin Procter LLP.
However, it's not clear exactly what it means to take reasonable steps to secure customer information.
Sign up for Computerworld eNewsletters.