If you’re not a lawyer, then digging into legal precedent isn’t very exciting. What’s even less exciting is suffering a major data breach and having to deal with the legal consequences.
Data breaches are becoming more frequent, and regulators are taking additional steps to ensure consumer protection. While it may not be particularly exciting, every CISO needs to understand how recent cyber security rulings could impact a business in the event of a data breach.
A Quick Review: FTC v. Wyndham Worldwide Corporation
The Third U.S. Circuit Court of Appeals recently ruled that the Federal Trade Commission (FTC) has the power to regulate cyber security in the business world. This is a huge turning point for both consumers and enterprises —for better or for worse.
The FTC sued the Wyndham hotel brands for 3 sequential data breaches that occurred in 2008 and 2009. Cyber criminals compromised the Wyndham computer systems, hijacked nearly 620,000 credit card and payment data records, and stole over $10 million.
What was the basis of the suit? The FTC claimed that Wyndham “unreasonably and unnecessarily” left user data open to attack. With the Third U.S. Circuit Court of Appeals ruling in favor of the FTC, it’s clear that companies need to be able to prove that they are taking proper precautions when it comes to data protection.
“Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers,” said FTC Chairwoman Edith Ramirez.
If you’re scratching your head at the idea of “reasonable” cyber security practices, you’re not alone. Staying off of the FTC's radar may be difficult, but these 5 investments can help:
Invest in Visibility: You need to be able to prove that you can see all of the traffic coming in and out of your network. If packets are slipping through the cracks, the FTC might deem your network too vulnerable. Check your device to network connections – if they don’t have a direct connection via a network TAP, chances are you’re missing data.
Invest in Detection: Start by shoring up the perimeter with next-gen firewalls, intrusion detection, advanced threat detection and other solutions that can act as your first line of defense. However, it’s just as important to be able to see what’s going on inside the network in the event that an attacker gets through. Deception technology not only allows you to identify and track intruders inside the network, it also lets you stop criminals from reaching their intended goal.
Invest in Training: So many of the world’s data breaches are caused by human error inside an organization. Your employees may be falling for phishing scams and putting your entire network at risk. Train all of your employees to spot suspicious activity - and you’ll instantly enhance corporate security.
Invest in Response: Although there are numerous measures that can be taken to prevent data breaches, it is still essential to have a response plan in place in case one does occur. Invest in an effective response plan, which includes steps such as contacting customers in a quick and efficient manner, in order to help mitigate losses throughout the data breach process.
Invest in Remediation: Making sure you have a plan to upgrade failed systems probably won’t win a lawsuit, but it will put compromised customers a bit more at ease and possibly help retain them after an incident has occurred.
The implications of the “Reasonable v Unreasonable Measures” precedent aren’t totally clear right now, but that doesn’t mean you can’t get out ahead of cyber criminals.
- 5 Steps to Cyber Security Risk Assessment
- Why Aren't Cyber Criminals Being Brought to Justice?
- How Vulnerable is Your Industry to Cyber Crime?