HIPAA. PCI. SOX. All very familiar, but rather industry-specific, acronyms in the world of regulating data security. A recent court decision confirmed the authority of another powerful player – the FTC – to be the omnibus data security enforcer of the federal government.
In the next installment of Online Tech’s free ‘Tuesdays at 2′ educational webinar series, guest host Tatiana Melnik will explain the Federal Trade Commission v. Wyndham Worldwide Corporation court case, discuss the FTC’s broad discretion to take legal action against companies, the technology controls the FTC expects organizations to have in place, and the important role privacy policies play in gauging data compliance.
The webinar – titled Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices – will be held from 2 to 3 p.m. ET on Tuesday, April 29. (Register here.)
After Wyndham suffered three separate data breaches at the hands of hackers, the FTC filed suit that one of the world’s largest hospitality company’s website deceptively stated it reasonably protected consumers’ privacy. Wyndham filed to dismiss the case, citing – among other points – that the FTC lacks authority to regulate data security. The U.S. District Court for the District of New Jersey ruled for the FTC in rejecting Wyndham’s challenged to the FTC’s authority over data security practices.
Melnik, a Tampa-based IT privacy and security attorney, will dive into the implications for all businesses storing personal customer information as FTC enforcement becomes increasingly stringent.
“It’s always helpful to know what the regulators find problematic, so we’ll go through and talk about the issues the FTC found problematic in this case and several other cases,” said Melnik.
Melnik notes that each of the dozens of enforcement actions the FTC has undertaken in recent years argues that a company’s failure to maintain privacy and security protections was deceptive or unfair. This highlights the language found in privacy policies. Not meeting expectations laid out in grandiose privacy policies can be deemed as “deceptive or unfair” as not meeting commercially reasonable standards for data protection.
“Privacy policies do get used against companies. If it’s not a true reflection of what actually happens at a company, that’s quite problematic if there’s a breach,” Melnik said. “To say that you ‘take any and all measures to protect consumer information’ just isn’t true. You most likely can’t afford to take ‘any and all measures.’”
Tatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. She regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements. She is managing editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council. Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida. For more information, visit www.melniklegal.com.