Strong data security is not optional
Tasked with protecting consumers from unfair and deceptive business practices, the Federal Trade Commission’s Bureau of Consumer Protection will now launch investigations if it detects risky behavior regarding the security of customer data. No actual injury or breach is required. Companies found to have substandard data security practices may face a variety of penalties. Recently, despite the lack of documented harm to clients, R.T. Jones Capital Equities Management agreed to settle charges that it failed to establish required cybersecurity policies and procedures before a data breach that compromised the personally identifiable information of approximately 100,000 people. The FTC also has the power to investigate discrepancies between a company’s published “terms of use” and how its data is actually stored and shared.
Since no court has yet ruled that the FTC lacks such jurisdiction, the bureau has stepped up its consumer privacy activity, and enforcement actions have skyrocketed. Any organization that deals with consumer information is subject to an investigation.
At the same time, the law is catching up with the real impact of data breaches. A truly game-changing ruling in Remijas v. Neiman Marcus has made it easier for consumers to sue companies after breaches involving their personal data. Historically, even when sensitive information such as credit card numbers, birth dates, government ID numbers and medical records have been accessed, it’s been hard for consumers to sue companies over the breach. Companies have typically been able to avoid these lawsuits by invoking a Supreme Court case, Clapper v. Amnesty International. The case, which was about phone records and national security, required a showing of a risk of “imminent” and “concrete” injury in order to have standing to bring suit.
As a consequence of the Remijas case, however, consumers no longer have to show a risk of imminent and concrete injury in order to file suit, which means that a company’s failure to properly oversee data and how it responds to a breach may be sufficient grounds to sustain class actions by affected customers, whether or not they suffered a financial loss.
In addition to reducing the risk of lawsuits and investigations by the FTC and the Securities and Exchange Commission, a strong, proactive security posture can actually save organizations a substantial amount of money. While companies should assume that data breaches are a new fact of life, many breaches could have been prevented if the affected company had implemented simple security controls and best practices. The Ponemon Institute concluded that a variety of security measures could significantly decrease the cost of a breach by $7 to $12 per record, a significant amount when hundreds of thousands or millions of records are involved. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs,” said Marshall S. Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit.
To avoid the costs and rapidly expanding liability associated with data breaches and a company’s lack of oversight, organizations need to vigilantly protect themselves and their customers. Here are the key elements required to establish a strong security posture, reduce the risk of a breach and limit the damage and cost should a breach occur:
Heidi Maher is an attorney, an information governance specialist and the executive director of the Compliance, Governance and Oversight Counsel (CGOC).