Insurance Against The FTC’s Claims of Deceptive Acts and Practices: Developing Your Own Industry Standards For Data Security
We have been discussing what businesses can do to protect against the Federal Trade Commission commencing an enforcement action against them for allegedly failing to take reasonable precautions to ensure the safety of their customers’ private data, such as financial information, dates of birth, social security numbers, and even health records: Develop, and implement, industry standard, and commercially reasonable, data security practices. This time, we will see just how effective those efforts are by, in effect, asking Target.
What makes such Industry Standard Practices and Commercially Reasonable Efforts so promisingly effective is that:
- They were approvingly cited as source of guidance as to what a business must do to properly protect its customers’ data, by the court in the case entitled, The Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey. This was the same case which approved the FTC’s right to police data security practices.
- Many businesses use those terms in their posted privacy policy.
- The FTC already has demonstrated a willingness to allege deceptive acts or practices against companies that claim they follow Industry Standard Practices and take Commercially Reasonable Efforts to ensure data security but nevertheless suffer data breaches. This is what the FTC did in the Wyndham case. The FTC, in effect, will see a data breach; examine how it happened; determine that the precautions the company took to safeguard the data were inadequate and therefore did not meet Industry Standards or amount to Commercially Reasonable Efforts; and claim that the company deceived their customers by putting those terms in their privacy policy without abiding by them.
- Companies can define, on their own, what Industry Standard Practices and Commercially Reasonable Efforts, actually mean, for their business and their customers
Some companies, and industries, have gone to great lengths to define Industry Standard Practices and Commercially Reasonable Efforts for themselves. We previously pointed out the extraordinary data security efforts leading retailers were taking to protect the safety of their customers’ sensitive, private information; how they were sharing information, between themselves and governmental agencies, and collaborating with outside experts, to develop industry standard practices in data security; how they established an independent entity, the Retail Cyber Intelligence Sharing Center, or R-CISC, to do exactly that. We also examined a benefit of, if not the actual reason for, the retailers’ efforts: To protect themselves.
Retailers seem to be some of the most tempting targets of data security breaches. They handle large amounts of their customers’ financial information every day. Credit and debit card numbers are perhaps the most inviting targets because they are so lucrative and can be turned into illicit gains so quickly by cyber-criminals. Here are some facts which might put the retailers’ efforts into perspective:
.
- 70 million people, approximately, had their names, addresses and phone numbers stolen this past holiday season.
- 40 million people, approximately, had their credit and debit card information, reportedly, stolen at the same time.
- Both of these resulted from one data breach, which occurred at Target.
- The FTC, evidently, has not yet started an enforcement action against Target for allegedly failing to take reasonable precautions to protect its customers’ data.
- The FTC, however, did bring an enforcement action against LabMD, for allegedly exposing the private data of approximately 10,000 people, even, evidently, without evidence of actual quantifiable harm.
This might be considered unusual, in light of what has been reported to be Target’s alleged responsibility for the data breach. According to a report, which we previously noted, by Michael Riley, Ben Elgin, Dune Lawrence, and Carol Matlack, published in Bloomberg Businessweek on March 13, 2014:
- Six months before the Data Breach, Target began installing a malware detection tool, made by the computer security firm FireEye, on its system.
- Before any credit card information was stolen, the FireEye security system detected that hackers had installed malware on its systems and warned Target with its highest level warnings.
- Target didn’t act on those warnings; it reportedly discovered them when it looked back after the fact to see how the breach occurred.
- If Target’s security team had acted on the warnings at the time, the Data Breach would not have occurred.
There are a number of differences between the LabMD case, the Wyndham case, and the Target data breach. One, though, seems clear: Target is working to define Industry Standard Practices and Commercially Reasonable Efforts for data security. Target, reportedly, strongly supports the Retail Industry Leaders Association’s cybersecurity initiative noted above, and will have a senior executive sit on its board.
When you consider those facts, the potential benefits of such efforts to create and define Industry Standard Practices and Commercially Reasonable Efforts for data security, through public-private partnerships with the involvement of law enforcement agencies, become even clearer. No one knows what the future might hold; and that is all the more reason for such an insurance policy.
Go raibh maith agat.
Ray Grasing