Legal Rulings Support the FTC’s Cybersecurity Authority

December 03, 2015

Recent data breaches have shown us that there are significant outcomes for public and private organizations alike: disruption, reputational damage and financial repercussions. These data breaches have also sparked discussions about the role that federal regulators should play in holding organizations accountable. Despite the absence of definitive, comprehensive data protection authority, the FTC has utilized its general power to combat unfair and deceptive commercial practices to impose corrective cybersecurity settlements on companies that do not adequately protect their customers’ identification information.

This past August, the Third Circuit re-affirmed the FTC’s authority to regulate data security standards of commercial entities. In a post on CSO Online, I discuss how the FTC ruling suggests upcoming changes for data compliance regulation. The ruling notes that organizations do not act equitably when they publish a privacy policy but then fail to make good on that promise by investing inadequately in their data security. The court’s decision demonstrates that information security must be treated like any other protective measure, and that having inadequate cybersecurity measures in place should not serve as an exception.

Last month’s dismissal of the agency’s complaint against LabMD by FTC Chief Administrative Law Judge D. Michael Chappell did nothing to change the FTC’s authority to impose cybersecurity requirements. In the LabMD case, the Judge merely ruled that due to the questionable credibility of the agency’s key witness the FTC failed to meet its burden of proving the company’s actions caused or was likely to cause harm. The Judge never said that the FTC lacked the power to bring these actions against companies that failed to adequately protect personal information. Moreover, the FTC recently announced it will appeal the Judge’s decision to a panel of agency Commissioners.

Even if the FTC’s appeal proves unsuccessful, this has been a drawn-out and costly legal battle. By its own admission, LabMD has acknowledged the litigation has forced it to cease operation, a result every company should obviously wish to avoid. Hence, most organizations facing potential FTC scrutiny find it more cost-effective, though still costly, to settle out-of-court by agreeing to twenty years of independent oversight of data security compliance. In addition to the FTC, organizations are currently subject to other industry-specific regulators as well as the wide-reaching implications of the upcoming General Data Protection and Regulation legislation.

In order to avoid the censure of such regulators, organizations must make a clear case that proper safeguards were in place. Cyberattacks come in many shapes and sizes, so no definitive checklist exists to protect data. With that said, each organization should adhere to its own formal security procedures and adopt a layered approach that includes encryption, anti-malware and endpoint security with regular and comprehensive audits on the well-being of the data security protections, and staff awareness programs to prevent and quickly respond to data breaches.

Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. Learn more here.


Share this article

Financial Services