Security negligence goes to court

The number of people whose data was breached in 2015 exceeded that of the previous year. How do we plan to regulate these cases?

 Security negligence goes to court
Credit: Rumble Press

Many referred to 2014 as the “Year of the Breach.” Yet, the number of people whose data was breached in 2015 exceeded that of the previous year. The U.S. Government’s Office of Personnel Management, CVS and T-Mobile are just a few of the larger-scale victims. And the bad news is there is no end in sight — anywhere in sight. We can be sure that these attacks will continue in all shapes, sizes and categories. No one is immune.

How do we plan to regulate these cases? What should organizations be compelled to do in order to protect the sensitive information they store? And what should be the expected consequences when these organizations do not go far enough to protect consumer data?

Two cases currently in the headlines could help us understand how compliance regulations and policing of security negligence will evolve over the coming year.

The Federal Trade Commission will aggressively pursue its cybersecurity authority

Having already scored a major victory in the federal Third Circuit against Wyndham Corporation in August 2015, the Federal Trade Commission (FTC) recently faced its first setback. In November, a complaint the FTC filed against LabMD criticizing its lax cybersecurity practices was dismissed by the FTC’s chief administrative law judge. When the court’s decision became public, some stories began touting the dismissal as a major setback, but that assessment may be premature.

[ RELATED: Wyndham settlement: No fine, but more power to the FTC ]

The Wyndham decision supported the FTC’s ability to broadly institute cybersecurity requirements pursuant to the agency’s authority to prevent “unfair or deceptive practices.” The LabMD case did nothing to change that ability. The complaint in LabMD was dismissed due to the FTC’s inability to sustain its burden of proof because its key witness had a serious conflict of interest. The administrative judge never ruled that the FTC was unable to bring the action against LabMD; the organization just failed to prove it.

The FTC has already announced it is appealing the judge’s dismissal. In the 100-year history of the FTC, it has never lost an appeal to the Board of Commissioners. Should the dismissal of the complaint be overturned by the Board, the case could continue through the “regular” court system. (Incidentally Wyndham recently reached an agreeable settlement with the FTC.)

New European Union privacy rules rattle industries worldwide

In October 2015, the European Union (EU) Justice Court abolished a Safe Harbor agreement that existed for 15 years between the EU and the U.S. in its decision entitled Schrems v. Data Protection Commissioner. News reports estimate about 4,500 businesses have been affected. The agreement had allowed American companies to annually self-certify to the U.S. Department of Commerce that they were in compliance with the data privacy requirements in the 28 Member States that comprise the EU.

A new agreement is under negotiation, but both sides are struggling to find an acceptable middle-ground. Meanwhile, the European Commission has announced that if a satisfactory agreement is not in place by the end of January, each Member State’s Data Privacy Commissioner will consider initiating “coordinated enforcement actions” to mandate compliance.

In the meantime, the European Commission, in conjunction with the European Parliament and Council, has finally drafted the long-awaited General Data Protection Regulation. It would supersede the current Data Protection Directive of 1995. The Directive is only an advisory set of rules, which has caused each of the 28 EU Member States to draft its own version of privacy laws.

Under the newly proposed regulations, however, there would be only one set of rules applicable to all 28 states. There will also be a newly-created “right to be forgotten” and “right to portability” giving every EU citizen the right to move and remove her or his data. A breach notification requirement will require victims be contacted as “soon as possible” but no later than 72 hours after discovery of the breach.

Based on how these cases evolve, the results could have significant repercussions for how organizations are required to store and move data, both at a domestic and international level.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.