by Scott M. Lewis
Can the Government sue businesses for lack of network security? The short answer is Yes. However, this is nothing new; it all started back in 2015 with a court case, the FTC v. Wyndham Worldwide Corporation. The FTC won and the conclusion was that the government could sue businesses for security failures that result in substantial harm to their customers. In a more recent case against Johnson and Bell, a Chicago based law firm, they are being sued for negligence for allowing a lack of network security to evolve without taking the necessary steps to mitigate risks to customer information.
New security regulations and compliance is something that companies need to pay attention to, especially when you are spinning off divisions, purchasing companies, closing down a business, or with normal business operations. Managing your exposure to data breaches during any of these types of transitions can be tricky and costly if you don’t manage the data security and network security aspects of the relationship. However, in the FTC ruling, there are limitations and some basic criteria the FTC would have to demonstrate to file suit.
- The FTC would have to demonstrate that consumers were substantially hurt or affected by the hack, i.e., Credit Card information, consumer information, loss of business, loss of corporate data.
- The consumer could not avoid the harm; in the case of Wyndham, they claimed to have proper security, but as it turns out, they didn’t. These would include updated firewalls, monitoring of the network for security breaches, password change policies, and weak corporate policies as some basic examples.
- The most difficult would be to demonstrate that the benefit to the consumers did not outweigh the corporate security practices, i.e.: What did you know and when did you know that the lack of security was putting your clients and personal information at risk?
These cybersecurity suits are going to become more prevalent as the United States and many companies adopt the GDPR regulations around protecting personal and customer information. GDPR is the General Data Protection Regulation, which started as a regulation developed by the European Union, but since 2017 has spread to other countries around the world. It originally focused on the protection of personal data; however, as other countries have adopted the GDPR regulations, it has expanded into how companies are protecting corporate data and securing networks. The United States has not officially signed off on GDPR, however, with our global economy and when employing European Union citizens, you will also be required to meet GDPR.
A basic rule of thumb that came out of the FTC vs. Wyndham decision was that if a company has made a written or verbal promise that they meet or exceed industry-standard security measures, and it is revealed they didn’t meet those measures, then they could expose themselves to legal action from the FTC.
However, the FTC cannot mandate or force companies to meet industry standards for network security, and they cannot sue purely for that reason, only after they have been hacked can the FTC step in and initiate legal action. Another mistake that Wyndham made was they didn’t follow their published privacy statement, which is a statement that outlines how the company collects, uses, and stores customer information.
These new regulations are something that all companies should be paying attention to, especially with pending GDPR regulations. If you are concerned about the state of your cybersecurity, here are some basic items to consider. According to Security Metrix, you should review the following information:
-
Update and follow privacy statements. These should be part of your employee handbook, and they should be published and updated on your website.
- Use strong usernames and passwords, along with a two-factor authentication process, especially for remote or mobile users.
-
Ensure that your firewalls are up to date, not only in firmware, but they are current and supported models of firewalls. Don’t let these fall behind the industry standard.
- Install and update anti-virus software on all workstations and servers.
- Change passwords and usernames if a breach happens, but change passwords regularly.
The Federal Government and GDPR are not the only compliance regulations that you need to be aware of and start planning for. Many states are starting to pass some data and customer information protection acts. Georgia’s Personal Data Security Act, although this hasn’t passed yet, it is a sure indication of the direction states are implementing to protect personal and client information. The California Consumer Privacy Act, which went into effect on January 2020, requires that companies are completely transparent on what personal information they use and how it is shared and protected. New York’s Shield Act, taking effect March 2020, is directly targeted at hacking prevention and is outlining the standard of protection that companies must maintain to protect personal and client information. Many other states are considering or have started the process of passing legislation on data protection, management, notifications, and breach protocols. Most of these legislative acts not only apply to companies located in these states but companies that do business in these states. Many of these are far-reaching legislative acts.
Cyber-security may seem like a simple process, and most of us are doing the right thing, but these regulations and their penalties, can be associated with non-compliance, and can get expensive quickly. GDPR and state-mandated regulatory processes are real, so you must start reviewing and working towards meeting these regulatory processes. It has been my recommendation to pick the most restrictive process, meet those regulations, and then you are covered everywhere else. This means you have to plan and budget for these new standards and processes, plus provide training to your users on what is now expected of them to remain in compliance.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies’ goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.
Submitted 4 years 272 days ago