The Federal Trade Commission has taken new assertive action to protect consumer data privacy interests, this time relating to breaches of payment card information, and other consumer personal information by Wyndham Worldwide, a company which owns and manages hotels.
Just recently, the FTC settled charges against Accretive Health relating to inadequate data security protections that resulted in the theft of patient records. This settlement is on top of the charges filed by the Minnesota State Attorney General against the Business Associate that resulted in the company being banned from doing business in Minnesota for six years, reminding businesses that data breaches may incur actions from a variety of state and federal authorities.
Most recently, a United States District Court in New Jersey upheld the FTC’s authority to penalize Wyndham Hotel and Resorts for “failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” In this case, failure to implement reasonable data safeguards resulted in multiple data breaches of consumer payment card information as well as personal information including address, social security numbers, and other identifying data.
Wyndham’s “failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection, and use.”
Results of the poor data security safeguards included:
- three separate data breaches.
- the exposure of over 619,000 consumer credit card numbers to a Russian domain.
- fraudulent credit card charges for many consumers’ over $10.6 million in fraud loss.
The injuries to both businesses and consumers included unreimbursed fraudulent charges, costs of remediation, reduced or eliminated funds or credit, and significant time and money to investigate and resolve fraudulent charges.
The District Court decision raises the question of what businesses are outside the reach of the FTC, and the answer seems to be: very few. Actions by the FTC should serve to put all businesses that come into contact with sensitive consumer information on notice that protecting sensitive information is not optional, addressable, or low priority. Data protection of health, payment, and personal consumer information is becoming both paramount and complex in a landscape of ever increasing sophistication of cyber criminals to access and benefit from sensitive personal information.
Appropriate data safeguards are not limited to technical security protections like cloud encryption, anti-virus, intrusion protection and detection, and daily review of log files. Data security must also include physical security safeguards to restrict access to sensitive information and administrative safeguards that include thorough and frequent training for all employees on their responsibilities and what to watch for.
For more information, register for our webinar about the impact of FTC authority with our guest Tatiana Melnik, IT privacy and security attorney.
Webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices
Businesses that collect or use consumer information – including social security or credit card numbers, protected health information, and other sensitive data – are responsible for implementing cyber security measures to safeguard it and live up to the promises made. Those who fail to protect personal information are subject to actions from both state and federal authorities as well as lawsuits from individuals. Most recently, the FTC, with its broad authority to pursue action against any business engaging in interstate commerce, is stepping up its investigation and enforcement activities in 2014 across many industries including healthcare, hospitality, and mobile applications. What does this enforcement environment mean for businesses that are increasingly handling personal digital information in terms of liabilities and information assurance strategies?
Join us at 2 p.m. ET on Tuesday, April 29 with IT privacy and security attorney Tatiana Melnik to learn more and get your questions answered.
Encrypting Sensitive Information in the Cloud
Protecting Data in Mobile Apps
PCI Compliant Hosting
HIPAA Compliant Hosting
Why is it so hard to secure a company?
Encryption – Perspective on Privacy, Security, and Compliance
Security and Privacy Concerns with Patient Portals