Failure to Provide Information Security Is a Growing Risk For Business

Businesses large and small across the United States have been put on notice that they need to get their information security houses in order. The United States Court of Appeals for the Third Circuit ruled last month that companies that are not providing adequate data security can be held accountable by the Federal Trade Commission.

The far-reaching decision was handed down as part of a lawsuit between Wyndham Worldwide Corporation and the FTC. Wyndham Worldwide is the holding company for Wyndham Hotels and Resorts and several other recognizable lodging brands throughout the United States. The company was the victim of several data breaches in 2008 and 2009 that resulted in over 600,000 customers’ payment card information being lost to hackers. The resulting fraud liability was over $10 million, and in response the federal agency filed suit against the chain for its failure to provide adequate protections for consumers. Wyndham’s defense centered on the fact that it was the victim rather than the perpetrator and should not be held accountable for another’s wrongdoing, despite the fact that it was their failure to protect that impacted their customers.

In its ruling, the court of appeals sided with the FTC, stating that the agency not only had the right to hold companies accountable, but also indicating that the agency had no obligation to specify the exact security practices that companied need to put in place for their customers’ protection. The FTC’s case against Wyndham is slated to go forward in district court under the authority provided in a 1914 law.

Though the courts indicated that the Federal Trade Commission is under no obligation to name a specific data protection practice, in the case involving Wyndham the company’s shortcomings were enumerated, and included failure to use firewalls to safeguard the corporate failure to encrypt customers’ credit card information, and allowing access to their network by third-party vendors.

The laxity of Wyndham’s security measures was remarkable in light of the vast quantities of personal data that they maintained, and the FTC’s case against them stated that “taken together, [Wyndham] unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The FTC has not gone so far as to establish required security measures, but they are strongly encouraging companies to embrace data destruction and cybersecurity measures, and particularly for companies that collect and keep consumer data. Recent attacks on consumer favorites such as Target and Home Depot have raised awareness of the issue, and as consumer electronics and smart phones become more interconnected, concerns about the vulnerability of information are growing. One measure that has been floated by the Obama administration is “empowering the FTC to require companies to abide by principles including transparency on data-collection activities, giving consumers the right to control personal information.”

As more and more corporations are being taken to task and held liable for their failure to protect consumers against data breaches, the need for companies large and small to act proactively is becoming more and more apparent.