June 29, 2018

The Instrumental Role that FTC Plays in Data Privacy Policy and Enforcement

There are always interesting and insightful presentations at the RSA security conference, and this year was no exception.

However, there was one session that really captured our attention: “Cybersecurity and Data Breaches from a Business Lawyer’s Perspective.” This was presented by Kathy Winger, a practicing business attorney who provides guidance on data privacy laws and the legal ramifications of cybersecurity to her SMB clients. Ms. Winger has extensive experience in the banking industry, especially related to the increase in credit card fraud and the substantial losses associated with it.

At ARIA Cybersecurity Solutions, we spend a lot of time helping our customers improve compliance with data privacy policy and regulations such as PCI NSS, GDPR, 23 NYCRR 500 and more. But one area that we haven’t yet taken a lot of time to address is the driving forces behind the regulations. This idea was at the heart of Ms. Winger’s presentation, and we felt it was important enough to share.

This is the idea that the Federal Trade Commission (FTC) has assumed the position as the nation’s primary privacy and data security enforcer. The FTC has rulemaking power to address data privacy issues and concerns about industry-wide practices, particularly those focused on fraud that affects consumers.

The FTC’s data privacy policy impact on business liability

The FTC’s rulings have given it broad latitude in this areas over the years. The impact of its clarifications regarding cyber-fraud liability has had wide, often overlooked, implications for general business liability. The watershed incident happened four years ago in the aftermath of the Target breach. Until then, any form of credit card fraud/loss was the responsibility of the banks and financial services companies that issued the cards.

However, in this case, Target was found to be negligent, and the data privacy liability was ultimately assigned to the company. This opened the floodgates for those companies that bear losses as a result of “cyber negligence,” especially because those impacted can sue them for incident-related losses.

Common data privacy policy misconceptions lead to surprising risks

At this point, you might be thinking, “I don’t work for Target, and we’re not a retailer, so this really has no impact on my business, right?”

Wrong. The interpretation from this case is that any business of any size in any industry can be sued by any business, consumer, or group. Worse, it’s up to the business to prove that it’s not negligent. The burden of proof actually falls on the defendant businesses in these civil cases.

Banks are using this in the retail industry to go after merchants or any service vendors that take card payments, but it doesn’t stop there. Small businesses are getting sued, and in many cases, it’s due to poor practices by their vendors. Also, the shocking part is that cyber insurers are reacting to their exposure and have begun to aggressively go after anyone they think they can blame as negligent to recover money they paid out in claims. Note that this may be someone else’s insurer, including your customers, your suppliers, or even those who insure consumers against identity loss.

Free Infographic: Securing DevOps: A Critical but Complex Effort

The burden of proof

Ms. Winger went on to provide revelations most of us non-lawyers don’t get exposed to. For example, it turns out that the courts don’t treat business in the same way that they treat consumers. Where there may be a lot of latitude for the courts to protect the individual, all bets are off if you’re a business defending yourself against such claims. In civil suits you are not presumed innocent until proven guilty – it’s the preponderance of evidence that decides your fate. So, you have to prove that you and your business are innocent.

Ms. Winger also described several legal proceedings brought against small businesses. She was initially surprised to see that the courts had little sympathy for SMBs, especially since this wasn’t consistent with the leeway they typically provide for individuals who get in trouble with technical provisions of the law.

Many attendees had questions during her presentation. For example, wouldn’t cyber insurance protect such businesses if a breach happened? The short answer is maybe—but you better read your policy very carefully.

In some cases, there are some easy-to-overlook boilerplate exclusions of coverage that can be triggered. For instance, these policies often have provisions of exclusion if the company broke any federal or state statute, so if your company is in violation of these laws, the insurance company doesn’t have to pay.

Another example is that 26 U.S. states have data privacy policies and laws requiring businesses to report breaches of residents’ PII data within a certain number of days. (These timeframes are usually 30 days or less from the time the breach occurred or was first detected.) This proves to be a real challenge for any business since the industry average for breach detection is well over two months. Insurance companies know this, and if they find that this notification period was exceeded, they have grounds for not paying for any and all related costs, including lawsuits.

But wait! There’s more to this data privacy policy story, so stay tuned for our next blog on late-breaking news from the courts.

ARIA  Cybersecurity solutions are optimized to protect your critical assets

In order to remove the risk of noncompliance fines, organizations must make the data impenetrable for a highly focused breach response. To do this there must be a greater emphasis on automating processes to alleviate as much manual effort and uncertainty as possible. Interested in learning more, and what makes ARIA Cybersecurity Solutions different? Download our white paper, "How to Secure DevOps Across Any Environment," or contact us today.


Tags: data breach, gdpr, cybersecurity, data protection