U.S. Court Affirms FTC Authority to Enforce Data Breach Rules
The court responded that it was not persuaded by Wyndham's arguments, observing that its actions were permitted under existing federal legislation and under the Constitution. While Wyndham Hotels does theoretically have the right to appeal the decision to the U.S. Supreme Court, it's hard to see how the high court is going to get past the vision of hundreds or thousands of customers, all slipping on banana peels. Wyndham's legal position, it would seem, is untenable. But the Wyndham decision is relevant to any industry that is dealing with the public. It's clear that the FTC is convinced its a serious error to leave consumer financial or identity information effectively defenseless on corporate networks. What it means to your business is that, in addition to the financial pain you may suffer, if you fail to protect customer information you can expect the feds to come down on you like a ton of bricks. That is in addition to the risk to the C-suite's employment security as well as the market valuation of companies that fail to pay attention to data security.Unfortunately, following the series of cyber-attacks on Wyndham, it became clear that the claims of protection were just that—claims. Wyndham didn't actually do what it had claimed. The FTC listed that as yet another deceptive business practice. As you might expect, the FTC was pleased with the court decision. "Today's Third Circuit Court of Appeals decision reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data," said FTC Chairwoman Edith Ramirez in a prepared statement released to the media. "It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information." But what it really means to your company is that security of customer information is required by law. If you don't protect the personal and financial information to the maximum extent required by the FTC, then you're going to be in a world of hurt. In addition, it's probably cheaper and easier to protect the data like you're supposed to in the first place, instead of thinking up flimsy excuses for why you shouldn't have to.
Adding to the hotel chain's troubles were its published privacy statement, which laid out all of the steps that the company went to in its efforts to secure customer data; those steps included such things as claims that all data was protected by 128-bit encryption.