Defending Your Security Program: The FTC, Breach Class Actions, and You

Roger Angarita

Data breaches continue to fuel major media bonfires, CEOs are resigning, and the FTC is gaining ground in becoming the data-protection enforcers on behalf of consumers and business customers. Now in the wake of the Ashley Madison, Neiman Marcus, and Home Depot cyber-attacks, critical court decisions are occurring that will may raise protection standards and increase corporate liability. The smoke signal arising from the judicial system last month was the Third Circuit’s ruling affirming the data security authority of the Federal Trade Commission (FTC) in Federal Trade Commission v. Wyndham Worldwide Corp.

The FTC brought a suit against Wyndham, saying that the corporation engaged in “unfair and deceptive practices” relating to three data breaches in 2008 and 2009 that “unreasonably and unnecessarily” exposed the personal data of hundreds of thousands of consumers to misuse and theft. The U.S. Court of Appeals for the Third Circuit ruled on August 24, 2015 to unanimously uphold the authority of the FTC in the case.


Critical Questions Raised

We can be reasonably certain that this ruling indicates that a new era in regulatory and legal requirements for data protection is dawning. As the breach enforcers, the FTC will likely be empowered to take action on behalf of consumers when class-action lawsuits do not. And they’ll no doubt serve as referees in lawsuits between credit card companies and hacked corporations, because no one wants to bear the financial brunt of these attacks. This complex situation begs three really important questions:

  • How will “reasonable” data protection standards be defined?
  • How will companies who lack those reasonable data-protection policies and processes be penalized by the FTC in the future?
  • How will damages be calculated for civil litigation and class-action suits?
Hacked organizations' first defense in the past 18 months has been to claim that there is no certain way to prevent the new breed of “advanced” cyber-attacks. Yet consider that two of the most publicized breaches occurred at a major retailer or service provider that had no idea where all of their sensitive data was kept and had not been performing even basic security and data protection.

We can’t answer numbers two or three yet, and only time will tell. It’s nearly certain, though, that damage calculations will have to consider a broad range of factors, including job loss (particularly in the case of Ashley Madison customers who were members of the military), pain and suffering, identity theft, and financial fraud that may occur following loss of personally identifiable information.

Starting Points for “Reasonable Data Protection” 

While we don’t yet know how “reasonable” security standards will be defined, we can make some recommendations with confidence. Based on the fact that many organizations are not yet doing even the basic protection practices, we recommend taking these steps:

  • Learn where every copy of your sensitive data is stored (product plans and other intellectual property, financial information, personally identifiable information) across your enterprise, and don’t forget about third parties like business partners and vendors such as law firms and payroll services.
  • Encrypt that sensitive data. This is not sufficient protection, but it is essential.
  • Stop watching the firewall and start watching your sensitive data. Begin studying what normal behavior around that data looks like and ask your security team to implement an alert system for abnormal or anomalous behavior related to it.
  • Investigate and consider adopting the NIST Cybersecurity Framework. Many legal experts feel this may become a standard for “commercially reasonable” security approaches.
  • Research the types of attacks that are occurring within your line of business or industry. Professional associations are good places to obtain and share this information.
  • Hire more experts – whether employees, contractors, or services firms – to implement better security.
  • Consider the many types of risks represented by your data. Think about your line of business and what could happen to your business model if specific types of data were leaked. For example, in the case of Ashley Madison, inability to protect the privacy of their data means they may be out of business. Even confidential emails like those publicized in the Sony breach coverage can have an impact on executive careers and overall business viability.
  • Be prepared to capture and preserve breach-related data as potential evidence of criminal activity and as proof if you ever need to claim that your breach may not have been preventable.
  • Go beyond simply buying and installing security tools and work from a real security framework. One example is our own Inside-Out Security Framework.
  • Document your security processes. In this new age of enhanced regulation and civil liability, these processes may be discoverable.
  • Test your security processes. Practice your readiness. Many of our most security-mature customers run security breach “fire drills.” Doing this helps ensure that all concerned in your organization know what to do when the inevitable happens.
The next year will be interesting as both standards and damage-calculation formulas are defined. For now, focus on doing the basics, gaining visibility to and monitoring the locations where your sensitive data lives, documenting your processes, and testing them.

Want to share a best practice? I welcome feedback and ideas in the comments section below.

Roger Angarita is the Director of Product Management in R&D at Guidance Software. Earlier in his career he worked on corporate governance and intellectual property issues as an attorney at Latham & Watkins.

No comments :

Post a Comment