Court: FTC can take action on corporate data breaches

Security experts are split about whether the FTC's oversight will help improve enterprise security

The US Court of Appeals has ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices extends to oversight of corporate cybersecurity efforts -- and lapses. But security experts are split about whether the decision will help improve enterprise security.

"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," said Federal Trade Commission Chairwoman Edith Ramirez in a statement.

Specifically, last week's decision allowed the FTC to take action against Wyndham Hotels and Resorts for failing to reasonably protect consumers' personal information between 2008 and 2010, when hackers broke in three times and stole more than 600,000 bank card numbers.

Together with another court decision this summer allowing class action lawsuits against breached companies, this ruling means that data breaches are about to get a lot more expensive.

Pressure for action

Clearly, given the fact that data breaches keep happening, and are getting more and more destructive, something needed to happen.

"Everyone wants to see more done," said Eric Chiu, president and co-founder at Mountain View, Calif.-based HyTrust Inc., a cloud security automation company. "Allowing companies to police themselves hasn't worked."

According to Chiu, economic and financial motivations aren't enough, companies haven't been policing themselves, and consumers have been paying the price. The FTC's involvement is good news for consumers, he said.

"The government will now be putting greater pressure on companies to put in place the right level of security," he said. "It gives the FTC a lot more power to take action against companies that frankly have weak security practices."

The ruling gives FTC more teeth, and that's a good thing, said Greg Mancusi-Ungaro, CMO at Toronto-based BrandProtect Inc.

It will take time to see whether there's enough teeth, he added.

But the actual fines the FTC levies are just the start, he said, since FTC decisions will also add substantial fuel to class-action lawsuits.

"This opens the door for lawsuits against corporations that can last for years and can cost them a lot of money," confirmed Jason Polancich, founder and chief architect at Sterling, Vir.-based SurfWatch Labs, Inc. "This is a quagmire that businesses can find themselves in if they don't prioritize cyber.'

No specifics

The decision won't create better security on its own, but it has already sparked discussion in companies, said Gerry Stegmaier, partner in the privacy and data security practice at Boston-based Goodwin Procter LLP.

However, it's not clear exactly what it means to take reasonable steps to secure customer information.

"The key underlying problem – what must companies do – will remain until the agency can explain better what the law requires," he said. "It's like giving speeding tickets without speed limit signs."

There's also the risk that the FTC will require companies to take steps that aren't necessarily the most effective.

"Compliance costs will increase, but it's unclear whether risk management will get better," he said. "The decision encourages business to drive nails with a violin, regardless of whether that's good for the violin.”

The hackers are the ones who illegally break in and steal data.

But it's the businesses who are being treated like criminals by the FTC, Stegmaier said.

Are reasonable steps even enough?

There's little evidence that the ruling will make a significant difference to consumers, said Amir Ben-Efraim, co-­founder and CEO at Menlo Park, Calif.-based Menlo Security.

"There have been many reported -- and unreported -- cases of successful attacks on organizations that would have passed FTC scrutiny in terms of patching and updating," he said.

That's the dirty secret of the cybersecurity business, he added.

"No combination of conventional, detection-based security systems deployed today can stop an attack," he said.

The big winners in this debate are the security vendors, who are expecting to see enterprises become more receptive to new approaches -- and to bigger security budgets.

"When you go for the low-cost option to store sensitive data, that's not a good thing," said Kunal Rupani, principal product manager at Palo Alto, Calif.-based Accellion, Inc. "The FTC is doing the right thing by making sure that enterprises take the measures that they need to take to make sure their customer data is secure."

At the very least, enterprises need to be back to the drawing board and rethink their security strategies, he said.

For example, enterprises should admit that traditional walled-garden-style approaches to security are no longer enough. Criminals will break in, and companies need to add layers of protection around the data itself.

That could be via broader adoption of encryption, said Suni Munshani, CEO at Stamford, CT-based Protegrity USA, Inc.

"In case of a breach, the scrambled data cannot be understood by unauthorized individuals," he said.

But all these efforts won't be going to waste, he added.

"While security firms may benefit from this ruling, the real winners are those consumers who want their sensitive information better protected," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about AccellionCMOFederal Trade CommissionFTCGoodwin ProcterInc.Mountain ViewSterling

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place