Recent revelations of an ongoing cyber-attack against publicly traded companies in order to beat the stock market have again reminded us that no business is immune from data breaches.
There has long been an argument that modern legislation such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) offer sufficient protections to businesses and consumers. For years, the top markets investing in data protection have been healthcare, financial services and government.
Why? These organisations are highly regulated, and data protection is required for regulatory compliance. Hence it probably came as a shock to global hotel company, Wyndham Worldwide Corp (Wyndham) when it was sued by the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act of 1914.
According to documents filed in the District Court in Arizona in August of 2012, Wyndham engaged in ‘unfair and deceptive acts and practices’ when, between 2008 and 2010, data breaches of Wyndham systems led to the release of over 600,000 Wyndham customers’ personal data.
Among the other failings cited in the indictment, Wyndham was accused of failing to use firewalls, failing to address known security vulnerabilities on servers, using ‘default’ user names and passwords to access servers, failing to limit third party access, and so on. Pretty bold accusations I know, but what business was it of the FTC?
Interestingly, when the case was heard by the U.S. Court of Appeals for the Third Circuit in Philadelphia, lawyers representing Wyndham challenged the authority of the FTC in an area where there already exists ‘a less extensive regulatory scheme.’ By this they were referring to the Fair Credit Reporting Act, HIPAA and others.
Nevertheless, the three appeal court judges sided with the FTC in agreeing that it has the authority to regulate corporate cyber security. Thus, at least for the time being, and until Congress adopts more wide-ranging legislation governing data security, the FTC has the authority to pursue organizations that it deems liable for data breaches that cause harm to consumers.
However what we still don’t have is a set of rules from the FTC. Speaking earlier this year, Peter Karanjia, a partner at Davis Wright Tremaine LLP in Seattle, Washington, articulated this concern when he stated: ‘What business really needs here is clear rules of the road, and unfortunately when there’s after-the-fact enforcement like this based on broad concepts like unfair practices, that doesn’t provide the clarity that business needs.’
This lack of a set of rules for unregulated businesses – those businesses in industries without specific data security regulations – appears to have dampened the incentive for these businesses to adopt effective levels of security. Perhaps they don’t believe that they have sensitive data worth stealing, or maybe they don’t see themselves as potential targets.
Also, when planning next year’s budget, most companies will choose to spend on tools or strategies that promise revenue growth rather than on security solutions that don’t offer a clear return on investment. Case in point, Jason Spaltro, Sony Pictures’ senior vice president of information security, famously stated during an interview: ‘I will not invest $10 million to avoid a possible $1 million loss.’
It may have appeared a sound business trade-off a few years ago, but since then a plethora of data breaches at his own and other non-financial, non-health related businesses has surely demonstrated that every type of business is vulnerable and has a duty to its clients and employees to protect their information, and to its shareholders to protect intellectual property.
In recent times, companies have been promoting their ethical behavior. They believe that having demonstrably better ethics improves their brand image, leads to increases in customer numbers, and higher share prices as ethical investors choose to invest in these companies.
In this age of constantly changing threats, businesses should not be waiting around to find out if they’ll be retrospectively fined by the FTC, or if congress will eventually get around to adopting more wide-ranging legislation governing data security. Instead they should be seen to be acting ethically.
All types of businesses should be taking immediate action to protect corporate and client data, not only to protect from liability, but also to protect their brand images from the negative exposure of headline news.
Sourced from Nigel Johnson, Zix Corporation