As business owners, many of you have a database of your clients' most sensitive information. However, given the times in which we live, it is conceivable that you may wake up one day to find that your database has been hacked. And, as a result, your customers’ private information is now freely available in the public domain.
In such an unpleasant situation, you would most surely anticipate lawsuits from your clients. But the government? More specifically the Federal Trade Commission (FTC); why would they be suing you, the victim? Well, as Ray Hennessey reports, the federal court, third circuit ruled in late August that, the:
“Federal Trade Commission can step in and sue companies that are victims of hacks, in cases where security practices are so lax, they constitute a violation of users’ privacy agreements.”
So how exactly does the court define 'lax' security? Unfortunately, the court did not give any strict rules. However, in the lawsuit at bar against Wyndham, the court found that the company engaged in “deceptive practices” because Wyndham’s cybersecurity was well below what was recorded in its privacy policy which stated:
“'We safeguard our Customers’ personally identifiable information by using industry standard practices...Although ‘guaranteed security’ does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.’”
As such Wynham failed to meet its customers had an expectation of secure records (that was based on the provision(s) in the privacy agreement).
Because of this 'lax' security, the court sided with the FTC’s claim that it had a right to take action against:
“Wyndham because the hotel chain engaged in “unfair cybersecurity practices” that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
Note that the court was not moved by Wyndham’s claim that allowing the FTC to file suit would lead to the slippery slope of the government impeding on customers’ privacy to the point where it can even gain access to the information from individual hotel door locks!
So what does that mean for you and your business?
To avoid being sued for "deceptive practices":
1. Ensure that the cybersecurity you provide is in line with what customers can reasonably expect based on your privacy statement.
To avoid having the FTC knocking on your door:
2. Utilize cybersecurity that does not 'unreasonably and unnecessarily' exposed consumers’ personal data to unauthorized access and theft.
- Essentially, this ensures that you cannot get around being sued for deceptive practices by utilizing a "toothless" privacy agreement.
3. Though there are no strict rules about what constitutes “fair” cybersecurity practices, avoid these activities outlined by the court in the Wyndham case:
a. Storing “credit-card data in easily readable formats”
b. Failing to “create firewalls between different systems”
c. Having “passwords [that are] simple to crack” and
d. Failing to “have a system to alert administrators when a hack [takes] place.”
Given that this is a recent decision, we do not know the full extent of the FTC’s regulatory in these types of hacking cases (for example, Hennessey wonders how will they handle the Ashley Madison hack given that this company had one of the best cybersecurity systems in place). Despite this uncertainty, for now, simply focus on avoiding the mistakes made by Wyndham and purchase the best cybersecurity you can afford that meets the standards described above.
