FTC ruling suggests upcoming changes for data compliance regulation

Recent data breaches tell us what private and public sector victims are dealing with: disruption, reputational damage, and significant financial repercussions. They can also find themselves attracting the undesirable attention of regulators. Like those suffered recently by the IRS and Ashley Madison, data breaches have ignited the discussion about the role that federal regulators should play in holding organizations accountable.

US Congress has not yet adopted sweeping legislation governing data security. Even in cases of these large-scale, headline-grabbing data breaches with massive financial settlements, there has not been a clear path by which the federal government can file cases of wrongdoing. This may now be changing.

Over the past few months, many state and federal regulators have stepped up their focus on data security, conducting their own examinations and investigations, and ultimately levying fines for non-compliance, or lack of adequate security measures to protect consumer information.

Perhaps most significant was a ruling in August 2015 from a federal US appellate court confirming that the Federal Trade Commission (FTC) has the authority to take legal action against an organization for not adequately safeguarding customer data. This ruling widely confirms the FTC’s authority to regulate companies that are negligible in the loss of consumer data to hackers.

So what does this ruling mean? The court’s decision demonstrates that information security must be treated like any other protective measure and that having inadequate cybersecurity measures in place should not serve as an exception.

According to the ruling, “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

In many cases, organizations have acted recklessly by storing sensitive information without encryption, or placing passwords on sticky notes. In these cases, government bodies like the FTC will be able to make a clear argument that this lack of security equates to insufficient protection and the organization can therefore be held accountable for such unsupported claims.

One of the challenges both the FTC and future organizations will face is making a clear case that the proper safeguards were in place. As we’ve seen, cyberattacks come in many shapes and sizes and therefore there is no definitive checklist for protecting corporate or customer data. Defining a fair standard by which every organization must adhere will be a discussion point and serve as an arena of debate for some time.  

Navigating data compliance

It is challenging for organizations to understand and comply with the many well-meaning regulatory requirements, particularly if such requirements are veiled as suggestions.

It’s critical for businesses to protect themselves and their customers by implementing and adhering to formal security procedures. In the coming year, the European Union is poised to introduce its General Data Protection and Regulation legislation, which would implement new regulation on privacy laws for any organization that processes personal data through the offering of services or goods to citizens in the European Union. While no such blanket regulations exists in the US, several industries have been issued increasingly larger regulatory fines for not complying with existing industry-specific legislation. The introduction of new legislation in Europe could be a catalyst for similar legislation in the U.S.

There is no one panacea solution when it comes to ensuring the integrity of your corporate network and the security of customer data. Organizations need to adopt a layered approach that includes encryption, anti-malware, and endpoint security. It is also important to conduct frequent and comprehensive security audits on the well-being of your data security.

Education and staff awareness are also critical. Having a formal procedure for what is expected in the event of a breach can often help expedite the containment process to mitigate potential risks. Internal awareness training should be conducted regularly across the organization.  

With greater regulatory oversight than ever before, organizations must ensure they are investing in and prioritizing the protection of their sensitive data, across all levels of the organization.

Sweeping legislation like the EU GDPR may be inevitable, but time will tell if this form of governance will encourage organizations to prioritize security.