FTC Has Court Approval to Fine Companies for Lack of Security for Data Breaches
Being prepared just got more serious this past week. Cybersecurity has now become an even higher priority for companies, by default. If it wasn’t a high priority previously, it should be and must now.
The new U.S. appellate court ruled that the Federal Trade Commission (FTC) can sue Wyndham Hotels for a 2008 and 2009 data breach, where 600,000+ customers’ data was stolen from their systems. It also reinforced that the FTC is truly the digital watchdog for corporate America with the authority to enforce. The FTC can investigate companies and charge them with unfair trade practices for failure to protect customers from the theft of online data. Unfair practices refer to how a company publishes its privacy practices to attract customers but then do not have adequate resources for cybersecurity to safeguard the customer data as stated.
The Importance of Security Measures
It cannot be stressed enough – it is no longer a matter of will a security breach occur. It is a matter of when will a security breach occur.
One of the articles listed below asks an interesting question. Which is worse: not safeguarding customer data or misleading customers about security measures?
There are some key points that likely need to be examined and re-examined by many companies, in the wake of the new responsibilities thrust upon them with this ruling.
- Does your company have a security plan?
- If yes, have you updated the company data security plan?
- Have you implemented lessons that you learned from previous incidents in any updates of the security plan?
- Does the current, defined team have the best/right people in place?
- Have you reviewed the current, defined team recently to be sure all members of the team are still in place?
- When was the last time you implemented a practice run?
- How often do you train employees in the company’s cybersecurity policies?
- Have you updated the data and privacy policies?
- Are the current data security tools modern, up-to-date and sufficient to meet the company’s current needs?
- Has your company considered compliance with the NIST Cybersecurity Framework?
- Is the legal department part of the process in the company’s security plan?
Cybersecurity is already a big topic in the boardroom. The executive team is already more involved than ever when it comes to securing company and customer data. This new ruling is likely to spur new conversations about efforts and budgets necessary to secure and defend against cyber attacks. Minimizing company risks and responsibilities are now a growing priority for everyone.
Here are some articles on the topic: