Last week, the 3rd U.S. Circuit Court of Appeals in Philadelphia said the Federal Trade Commission (FTC) can go forward with a lawsuit that would hold Wyndham Worldwide Corp. accountable for data breaches. The court ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices extends to oversight of corporate cybersecurity lapses.
In 2008 and 2009, due to poor security protections, 619,000 customers of Wyndham Worldwide Corp., whose brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, had personal data, including credit card information, stolen. The stolen data was then used to rack up over $10 million in fraudulent charges.
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” said FTC Chairwoman Edith Ramirez.
Deciphering the Ruling
The ruling means that the government will likely now be putting more pressure on companies to put the “right level of security” in place. But how will they define what the “right level” is? And what might the landmark case mean for businesses that are hacked despite their best efforts? What kinds of penalties might they face for failing to properly safeguard consumers' information? And how do you balance consequences so they are enough to make companies take security more seriously without putting them out of business should a breach occur?
While few would disagree that something needs to be done to prevent the growing number of hacks, few agree on the best way to make that happen, or on what approach is even realistic. There is already a huge list of companies, big and small, that have experienced customer data theft, and new breaches seem to make headlines every day.
One positive sign is that the FTC seems determined to take an inclusive approach to approaching these challenges. Last week, Chairwoman Ramirez said her agency will host the first-ever PrivacyCon later this year. The event is designed to bring together researchers, academics, industry representatives, consumer advocates, academics and government regulators to discuss the role of data collection across businesses. Ramirez said the FTC wants to ensure all stakeholders have a seat at the table.
"Our goal is to make PrivacyCon a premiere privacy research event that will help us advance our understanding of security and privacy issues for the digital age," she said. "PrivacyCon is just one step on the road to creating a continuing dialogue with the technology and research community."
The Best Security Money Can Buy?
While much remains to be seen in terms of what will happen next and how the FTC will handle this, one thing for certain is that the ruling will likely make data breaches a lot more expensive for companies. Not only will they have to pay penalties should a breach occur -- they’ll also need bigger security budgets to ensure they are getting the best security possible, and that those solutions are kept up-to-date.
The biggest benefactors, of course, will be the security vendors.
