It is important for all companies — especially small and midsize companies — to have a basic understanding of what the FTC considers to be reasonable cybersecurity. The FTC is known for being one of the more aggressive regulators that are investigating and enforcing (what it views as) inadequate cybersecurity by companies doing business in the United States. In the watershed case solidifying the FTC’s authority to regulate companies’ cybersecurity under the FTC Act, F.T.C. v. Wyndham Worldwide Corp., the U.S. Third Circuit Court of Appeals looked to resources published on the FTC’s website and found that Wyndham’s cybersecurity was very rudimentary and contravened recommendations in the FTC’s 2007 guidebook, Protecting Personal Information: A Guide for Businesses.
The FTC recently published a couple of helpful resources on its website and companies of all sizes would be well-served to spend some time reviewing the recommendations in these resources:
Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Ashley Madison and the FTC announced a settlement of the investigation into the breach data breach of 36 million AshleyMadison.com users that was being pursued by the FTC and several states’ attorneys general. The cost to Ashley Madison is substantial:
a total judgment of $17.5 million (though only $1.6 million is currently due because of inability to pay the remainder, thus, that amount is suspended),
required corrective measures, including implementing a comprehensive cybersecurity program, and
required cybersecurity assessments by a “qualified, objective, independent third-party professional” every two years.
Business insecurity leaders would be well advised to pay close attention to the specific shortcomings that the FTC found with Ashley Madison’s cyber security practices:
no written information security policy,
no reasonable access controls,
inadequate security training of employees,
no knowledge of whether third-party service providers were using reasonable security measures, and
no measures to monitor the effectiveness of their system security.
After looking at the foregoing list, ask yourself this question: “does my company have any of these same problems?” If your answer is “Yes,” “Maybe,” or “I don’t know,” then your company could easily find itself in the same position as Ashley Madison being pursued by the FTC should it have a data breach.
The FTC also listed the following issues by Ashley Madison as giving rise to the investigation:
the defendants misrepresented that they had taken reasonable steps to ensure AshleyMadison.com was secure,
that they had received a “Trusted Security Award”,
that they would delete all of the information of consumers who utilized their Full Delete service, and
engaged in unfair security practices by failing to take reasonable steps to prevent unauthorized access to personal information on their network, causing substantial consumer harm.
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!
Most important cybersecurity-related legal developments of 2015
Tectonic Shift that occurred with “standing” in consumer data breach claims
Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
Does this now apply to all consumer data breach cases?
Immediate impact? Companies now liable?
Lesson is in seeing the trend and how incrementalism works
Michaels & SuperValu case dismissals in light of Neiman Marcus
FTC & SEC gave hints in 2014, post-emergence of Target details
Wyndham challenged authority – came to fruition in August 2015
SEC not far behind – significant case in September 2015
Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
Officer & Director Liability
2014 – SEC Comm. fired the warning shot … pointed the finger
Shareholder derivative litigation
Individual liability of IT / Compliance / Privacy “officers”
Anticipated 2016 Legal Trends
Regulatory enforcement … which, by the way, is why NIST is becoming default
Shareholder Derivative – much more likely than consumer class actions at this time
Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything