A recent federal court decision upheld the Federal Trade Commission’s (FTC) authority to take enforcement action on behalf of consumers against businesses that fail to take reasonable steps to secure sensitive consumer information.
The U.S. Court of Appeals for the Third Circuit ruled that the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. was, at least in part, responsible for the three unauthorized intrusions it experienced over the span of two years that compromised the credit card numbers of 619,000 customers and lead to more than $10.6 million in fraudulent charges (click here to read the ruling). The FTC alleged that Wyndham had engaged in cybersecurity practices that, collectively, were unfair and unreasonable, resulting in unnecessary exposure of consumers’ sensitive data. Such Wyndham cybersecurity practices cited by the FTC as unfair and unreasonable, included but were not limited to, lax password management, lack of appropriate firewall protection for consumer data, use of outdated software and its failure to follow proper incident response procedures.
Going forward, based on the reasoning of the Wyndham decision, it is going to be difficult for any business, large or small, to take the position that it was somehow unaware of the importance of cybersecurity. As such, it is imperative that your business have appropriate cybersecurity practices and policies in place for the protection of sensitive consumer information. When reviewing your business’s current cybersecurity practices and policies, keep in mind the following principles:
- Be aware of all the personal information collected, retained and shared. Review your system to learn how your business and/or vendors use consumer data. Restrict access to sensitive data to only those “need to know” employees or vendors.
- Keep only personal information required for legitimate business operations. If you don’t need it, don’t keep it.
- Use physical and electronic security to protect the information your business retains. Such security could include firewalls, encryption of sensitive data or implementing password management rules.
- Properly dispose of personal information as soon as it is no longer necessary for business operations. When disposing of old computers and portable storage devices, use software for securely erasing data.
- Have a plan to respond to security incidents. Designate someone on your staff to someone with sufficient authority within your organization to coordinate and implement the response plan. Investigate security incidents immediately.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions or would like to discuss your business’s cybersecurity practices and policies.