Recently I sat down with Renee Murphy and our own Chief Council, Neil Stelzer, to discuss regulatory topics including the impact of the 7th circuit effectively lowering the threshold needed to bring a class action lawsuit in a data breach. The ruling states that harm occurs the moment that a data breach occurs, not if or when the data is used to commit fraud. On the heels of that ruling, the 3rd circuit has now upheld that the FTC can sue companies for being breached.
The questions will of course be asked, what constitutes “adequate resources in cybersecurity”, and “what if companies elect to state in their fineprint that they do not protect privacy anymore”? What if you invested a large amount of resources in antivirus solutions? Is that adequate? No doubt many will argue that their breaches were the result of “very sophisticated attackers.” The reality however is litigation is costly, lengthy and guarantees to extend the amount of negative press associated with the company’s brand. Further complicating the matter is the fact that the FTC is unlikely to publish regulatory guidelines similar to PCI or PHI. Some would argue that is actually a good thing, as being compliant has never equaled being secure. Companies are simply expected to take adequate care of the sensitive data in their trust. Alan Butler, attorney for the Electronic Privacy Information Center said this; “This a huge victory for the FTC, but also for American consumers. We see services and companies being hacked on an almost daily basis now. Having the FTC out there, bringing actions against companies that fail to protect consumers’ data is a critical tool.”
Inserting a EULA that attempts to evade the FTC by not protecting customers privacy would both be a competitive disadvantage and would fall short of other regulatory standards and still trigger state breach notification laws. We will not legislate our way to increased security, nor should we, however, it may be time that our protections caught up to those in the EU.
Calculating the cost per record of a data breach won’t be an important metric any longer now that the real impact would be felt when the FTC installs regulators to oversee a company’s data protection systems for a period as long as 20 years.
Keep up with Identity Finder: