Can the Government sue businesses for lack of network security? The short answer is Yes. However, this is nothing new; it all started back in 2015 with a court case the FTC verse Wyndham Worldwide Corporation in which the FTC won and the conclusion was that the government could sue businesses for security failures that result in substantial harm to their customers. In a more recent case against Johnson and Bell, a Chicago based law firm, they are being sued for negligence for allowing a lack of network security to evolve without taking the necessary steps to mitigate risks to customer information.
New security regulations and compliance is something that companies need to pay attention to, especially when you are spinning off divisions, purchasing companies, or closing down a business or just normal business operations. Managing your exposure to data breaches during any of these types of transitions can be tricky and costly if you don’t manage the data security and network security aspects of the relationship. However, in the FTC ruling, there are limitations and some basic criteria the FTC to file suit would have to demonstrate;
- The FTC would have to demonstrate that consumers were substantially hurt or affected by the hack, i.e., Credit Card information, consumer information, loss of business, loss of corporate data.
- The consumer could not avoid the harm; in the case of Wyndham, they claimed to have proper security, but as it turns out, they didn’t. These would be updated firewalls, monitoring of the network for security breaches, password change policies, weak corporate policies as some basic examples.
- The most difficult would be to demonstrate that the benefit to the consumers did not outweigh the corporate security practices, this would go to the what did you know and when did you know that the lack of security was putting your clients and personal information at risk?
These cybersecurity suits are going to become more prevalent as the United States starts to adopt, and in some cases, many companies try to meet the GDPR regulations around how you are protecting personal and customer information. GDPR is the General Data Protection Regulation, which started as a regulation developed by the European Union, but since 2017 has spread to other countries around the world. It also started focused on the protection of personal data; however, as other countries have adopted the GDPR regulations, it has expanded into how companies are protecting corporate data and securing networks. The United States has not officially signed off on GDPR yet. However, with our global economy and with businesses not only doing business with European Union countries, if you employ European Union citizens, you will also be required to meet GDPR.
A basic rule of thumb that came out of the FTC vs. Wyndham decision was that if a company has made the statement in writing or verbally promising that they meet or exceed industry-standard security measures than it is uncovered they didn’t meet those measures or if the company was hacked then they could expose themselves to legal action from the FTC. However, the FTC cannot mandate or force companies to meet industry standards for network security, and they cannot sue purely for that reason, only after they have been hacked can the FTC step in and initiate legal action. Another mistake that Wyndham made was they didn’t follow their published privacy statement, which is a statement that outlines how the company collects, uses, and stores customer information.
These new regulations are something that all companies should be paying attention to, especially the pending GDPR regulations, but if you are concerned about the state of your cybersecurity, here are some basic items to consider. According to Security Metrix, you should review the following information:
- Update and follow privacy statements, they should be part of your employee handbook, and they should be published and updated on your website.
- Use Strong usernames and passwords, along with using a two-factor authentication process, especially for remote or mobile users.
- Ensure that your Firewalls are up to date, not only in firmware, but they are current and supported models of Firewalls, don’t let these fall behind the industry standard.
- Install and update Anti-Virus software on all workstations and servers.
- Change passwords and usernames if a breach happens, but change passwords regularly.
The Federal Government and GDPR are not the only compliance regulations that you are going to have to be aware of and start planning. Many states are starting to pass some data and customer information protection acts. Georgia’s Personal Data Security Act although this hasn’t passed yet, it is a sure indication of the direction states are going to protect personal and client information. The California Consumer Privacy Act which did go into effect on January 2020, requires that companies are completely transparent on what personal information they use and how it is shared and protected. New York’s Shield Act is directly targeted at hacking prevention and is outlining the standard of protection that companies must maintain to protect personal and client information. The New York Shield Act goes into effect in March of 2020. Many other states are considering or have started the process of passing legislation on data protection, management, notifications, and breach protocols. Most of these legislative acts not only apply to companies located in these states but companies that do business in these states so most of these are pretty far-reaching legislative acts.
I know this seems like a simple process and that most of us are doing the right thing or trying to, but these regulations, along with the penalties, can be associated with non-compliance, can get expensive quickly. GDPR is real, these states mandated regulatory processes are real if you do business or have customers in these states, so you must start reviewing and working towards meeting these regulatory processes. It has been my recommendation to pick the most restrictive and try to meet those regulations, and then you are covered everywhere else. This means you have to plan and budget for these new standards and processes along with providing training to your users on what is now expected of them to remain in compliance. The truth of the matter is most security breaches are due to human error so don’t overlook that in your planning processes.
By Scott M. Lewis, President / CEO Winning Technologies, Inc.
About the Author: Scott Lewis is the President and CEO of Winning Technologies Group of Companies, which includes Liberty One Software. Scott has more than 36 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small businesses to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium, and small companies, and Winning Technologies' goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies call 877-379-8279.