Earlier this year, the Third Circuit re-affirmed the FTC’s authority to regulate data security standards of commercial entities. Specifically, this ruling came in the FTC v. Wyndham case, where the company argued that the FTC lacked the authority to regulate data security standards, particularly as such standards are not publicized. This argument was overruled, leading many to believe that the FTC, now on firmer ground, would step up its security enforcement.
Though a recent ruling against the FTC has made it clear that proof of harm may be required for FTC enforcement to stick, this ruling was not without a drawn-out and costly legal battle. There is a reason that many organizations choose to settle their legal battles with regulators of all kinds. This week, we've seen two major settlements with the FTC, which will continue to reinforce the strength of the FTC and set the bar for organizations.
Following the Third Court ruling in FTC v. Wyndham, the two parties have come to a final settlement three years after initial charges were laid. Wyndham has agreed to settle its FTC charges that it unfairly placed consumer payment card information at risk in three separate breaches, though the terms of the settlement does not include an admission of wrongdoing by Wyndham nor a fine. Instead, the injunction requires that Wyndham suit to oversight for 20 years and develop a “comprehensive information security program” and submit to annual adults.
Another landmark case was settled this week, in FTC v. LifeLock, five years after the charges were initially laid. In the settlement, LifeLock agrees to pay $100 million to consumers to settle its charges, the largest monetary award obtained by the FTC to-date. A portion of the agreement will be used to settle a class action suit against LifeLock by consumers, with the remainder provided to the FTC.
“This settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data,” said FTC Chairwoman Edith Ramirez. “The fact that consumers paid Lifelock for help in protecting their sensitive personal information makes the charges in this case particularly troubling.”
LifeLock did not admit wrongdoing in the case, and financial harm to consumers was never proven. No requirements were placed upon LifeLock to change their systems or processes, which LifeLock has heavily invested in.
These two settlements, coming years after they began with major legal battles, give significant credence to the FTC to enforce data security standards. There is speculation that these settlements will discourage others from mounting a significant legal challenge to FTC’s authority, with settlements coming sooner after charges are laid. In order to avoid the censure of regulators such as the FTC, organizations must make a clear case that proper safeguards were in place. Organizations should adopt a depth-of-defense or layered approach, one which encompasses education, policy and technologies to protect data from a wide variety of risk points. Absolute customers rely on us to provide them with a unique and trusted layer of security so they can manage mobility while remaining firmly in control.
Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.