Monday, February 27, 2006

FTC Takes An Interest In Data Security... ABOUT TIME!

Confronting the Legal and Business Realities of Data Security

With all the breaches of security involving customer identifying information and account data, there has never been a specific federal law that deals with these issues. But these breaches are serious risks to consumers. So now comes the Federal Trade Commission to the rescue... so to speak.

Just two years ago, the number of privacy and security laws was limited and applied only to companies in certain industries, or those that had international operations. Today the number of laws is staggering. Many states have stepped into the breach and enacted legislation requiring data security, as well as notice to consumers when security breaches occur. Moreover, although there is no federal law that generally requires information security, recent Federal Trade Commission actions indicate that the FTC is, for the first time, imposing a generalized duty to establish information security via the Federal Trade Commission Act.

Compliance with these laws is not only a legal reality, but also a business one, as the frequent and well-publicized data security incidents demonstrate. New notice laws require companies to advise customers of the high-profile data security incidents that frequently make headlines. Companies must now deal with increasingly complex requirements that are not consistent across all states. The price of failure can be high -- including significant penalties as well as unfavorable press coverage.

Can it be that the FTC is actually concerning itself with customer complaints during an ultra-conservative, pro-big business, Republican administration. Color me confused... but happy to see it.

FTC'S ROAD TO DATA SECURITY

The FTC has shown that it will take steps to protect data security, even in the absence of explicit statutory requirements. In the past, the FTC only brought enforcement actions against companies that represented they had security in place, when in fact they did not.

Recent cases only further demonstrate the FTC's commitment to protecting consumer's sensitive information. In a case involving CardSystems Solutions Inc., that arose from the allegation that a vast number of consumers' credit card numbers were exposed, the FTC brought an enforcement action even though it could not obtain any civil penalties in the case. The FTC did, however, obtain a consent order that places additional security burdens upon the company. Notably, the judge rejected the FTC's request to provide notice to the effected consumers because there was no showing of immediate harm, particularly in light of the credit card companies so called "zero liability" policies for consumers.

Won't there be complaints from the far-right about "legislating" from the executive branch and "executive activism"? Will the stacked federal bench support this move? Will Rocky and Bullwinkle escape the dastardly plan hatched by Boris and Natasha? Tune in next week for...????

As you can tell, I am a bit skeptical and cynical. The FTC has a record of "under performing" during Republican administrations. While I applaud and approve the plan to spread the FTC umbrella to include these data security issues, one has to wonder if the current administration is up to the task. After all, it can't seem to keep its own data secure or explain all of its major screw ups.

Another notable case that shows the FTC is following a new path involves footwear retailer DSW. DSW involved allegations that there were failures of network security for customer data, including financial data. The FTC brought an enforcement action against DSW because of alleged security breaches involving customer data. However, unlike prior cases, DSW had not made specific representations to consumers regarding security. This did not stop the FTC from claiming that the alleged lack of security constituted an unfair business practice under the FTC Act, which in turn led to the FTC seeking significant sanctions against the company. In most cases, including DSW, any resolution with the FTC requires significant monitoring and reporting to the FTC regarding data security and privacy.

This is surely going to meet with some resistance from the lobbyists. I wonder what kind of "lucrative favors" they will be offering to assuage the assaults on business as usual? Maybe I need a job interviewing lobbyists for some Washington big wig?

0 Comments:

Post a Comment

<< Home