OX Blog

How the FTC Made Customer Data a Liability for Companies – And How to Fix It

Written by Rafael Laguna | Nov 9, 2015

It goes without saying that the last few years have seen an enormous surge in data breach activity. Cyber criminals and identity thieves are becoming increasingly adept at penetrating the databases of nearly any institution, ranging from small businesses to larger enterprises – even the federal government. The impact of these incidents varies wildly, but virtually all of them result in the leaking and sometimes sale of sensitive personal or corporate data.

Ashley Madison is one of the latest major names to fall victim to a data breach, with email addresses and personal information belonging to millions of Ashley Madison users leaked to the public. This scandal has sparked a series of lawsuits, extortion attempts and even alleged suicides, and reignited the conversation about data privacy, security and accountability.

By contrast, the trio of data breaches that struck the hotel chain Wyndham Worldwide seem downright tame. From 2008 to 2009, there were three separate incidents in which hackers compromised Wyndham’s systems and gained access to guests’ payment card and account information. In fact, the back-to-back data breaches at Wyndham were so egregious that the Federal Trade Commission (FTC) sued the hotel chain for failing to implement reasonable cyber security protections that safeguard customer data.

Wyndham responded to the FTC’s lawsuit with a complaint of their own, alleging that the FTC neither has the authority to punish companies for a lack of cyber protection, nor did they make clear what exactly constitutes “reasonable” protection anyway. Despite this, the U.S. Court of Appeals upheld the FTC’s lawsuit, effectively putting a target on the backs of companies who fail to install reasonable – or in Wyndham’s case, any – cyber security protections for customer data.

It’s an important decision that has changed the security game, making it more vital than ever for CIOs and IT administrators to become well-versed in what their companies are doing (or, in too many cases, not doing at all) to protect customer information.

Encryption as the Way Forward

So, what should businesses do then? Wyndham may have dropped the ball (to say the least) in protecting its customers’ data, but they did raise a valuable point: what exactly constitutes FTC-friendly and “reasonable” protections? How should companies best safeguard data at rest and in transit, to both protect their customers and stay out of the FTC’s spotlight?

Encryption remains one of the best means in the cyber security toolbox for staying ahead of data theft. Despite the U.S. government’s efforts to chip away at encryption among private enterprises, many companies are starting to see not just the benefits, but more importantly the necessities, of encrypting their customers’ information. Last year, Apple took a huge step forward for encryption when they announced that iOS would encrypt customer data by default, rather than making it an option that customers can enable later – an option that many likely didn’t even know existed!

A new initiative, “Let’s Encrypt,” looks to keep the encryption ball rolling by handing out free SSL/TLS certificates, which encrypt data transmitted between websites and their users. These certificates are sometimes too cost-prohibitive for many to adopt, in turn opening them and their users up to the risk of cyber theft. But Let’s Encrypt, put together by the Internet Security Research Group and backed by Mozilla, will help further democratize one of the most fundamental and crucial aspects of web security and data encryption.

Leveraging IT Talent

The truth is that encryption can only be as strong or reliable as the people who implement it. There’s a very important human element that goes into adopting encryption – and really, any kind of cybersecurity. CIOs and IT administrators have to coordinate to make sure their security teams are both wide enough and deep enough with talented personnel capable of addressing security concerns and implementing the right safeguards at the right time.

Taking a more proactive approach to data protection demands strong leadership that understands the value of investing in, elevating and retaining the right talent for IT. That talent can then adapt to and anticipate the actions or patterns of cyber threat actors, and establish meaningful and scalable responses before they end up in the news as the next Wyndham or Ashley Madison. After all, what good is encryption, password security or firewalls if the people putting them into place aren’t up to snuff? Without the right team behind your encryption and other cyber defenses, you could still end up putting your customers’ data at risk and yourself in the FTC’s crosshairs.

A Reasonably Secure Future

Companies like Target, Sony, J.P. Morgan Chase and Wyndham are just a small sample of the major brands that have been wracked by cyber breaches, and have demonstrated exactly how failing to encrypt information, and anticipate the need for encrypted customer information, can spell significant consequences to both their finances and business reputations. With the FTC’s lawsuit and Court’s ruling to uphold it, those consequences have now grown to another level, making the entire business model of handling and using customer data into a liability all its own.

This is the world we live in now, and the sooner companies integrate encryption and other “reasonable” cyber protections into their operations – demonstrating a clear commitment to protecting their customers’ personal information as they use it – the better off they, and their customers, will be in the long run.