As we recently discussed, data breach legislation continues to be a moving target, with legislative changes pending in 32 States, not to mention Federal legislation and Global laws such as the EU GDPR, which have the potential to impact US organizations. Outside of this wave of legal requirements, there are industry-specific laws (HIPAA) and regulators who set standards and impose fines following a data breach, and these regulators are in flux as well. Within just the last year, we’ve seen the SEC and FTC both stepping up their game, and the same can be said for the Federal Communications Commission (FCC).
Just last year, the FCC announced its intentions to fine two companies $10 million for data security violations; the final settlement was reached for $3.5 million. In 2015, there have been two additional data security settlements with the FCC, the latest of which is a $595,000 settlement agreement with Cox Communications in relation to a data breach in August 2014. The previous settlement was for $25 million with AT&T Services. In addition to the fines, these settlements have included requirements for risk assessments, stronger security awareness training for employees and vendors, and upgrades that include multi-factor authentication. All of this must be documented and reviewed by the FCC within certain time periods.
Traditionally, the FTC has been the primary governing body enforcing data security cases, under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,” a definition which allows for a great deal of legal interpretation. While the FTC retains its authority to regulate data security standards, and is indeed cracking down with more stringent enforcement actions, the FCC’s independent enforcements have placed the telecom industry in a state of double jeopardy. As is faced by other industries, the FCC’s actions do not replace any fines that the FTC may issue, placing telecom organizations under the purview of overlapping regulatory bodies and multiple fines for the same infringement.
When it is found that your organization has failed to implement proper data protections, you could now find yourself subject to investigations and fines from multiple regulatory bodies for the same data breach event. Investigations and litigations related to a data breach can take years to resolve. Learn how Absolute can help your organization navigate the choppy regulatory landscape and mitigate data security risks at Absolute.com.
Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.