Court Ruling Affirms Business Responsibility to Protect Customer Data

In the wake of high profile security breaches like the most recent one on Ashley Madison, as well as the Target breach last year, it’s no wonder consumers don’t trust businesses with their data.

In the wake of high profile security breaches like the most recent one on Ashley Madison, as well as the Target breach last year, it’s no wonder consumers don’t trust businesses with their data. A recent court decision may result in companies being held accountable for protecting user data.

The case, FTC v Wyndham Worldwide Corp. dates back to security attacks that took place in 2008-2009. The FTC filed suit in 2011, charging that Wyndham’s security practices were unfair and deceptive, citing three security breaches wherein personal and financial data of Wyndham customers was stolen. The result of the three breaches was $10 million in fraudulent charges.

Of course, Wyndham challenged these allegations and even filed to dismiss the charges, arguing that they had no fair notice of what specific security protocols they should be using. However, the appeals court found Wyndham’s arguments unconvincing and affirmed the lower court ruling that yes, Wyndham could be held accountable for its weak security protocols and yes it was the FTC’s job to be the source of accountability.

According to the ruling:

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.

For some white-hat hackers, their goal is to expose the vulnerabilities in digital security as a way to both raise consumer awareness and encourage businesses to do better. This was the justification stated by the Ashley Madison hackers as well as the IT specialist who published 10 million passwords earlier this year.

While the court ruling affirms the FTC’s responsibility for holding businesses to account, one privacy advocate told Wired that we should expect the FTC’s responsibility to go unchallenged. He noted however:

The law has always imposed responsibility on companies for the care of their customers…Data is just something new that companies have to protect if they want to bear the benefits of collecting it.

Image courtesy of Shutterstock.