Posted May 5th, 2014 in Legal Insights

Despite Lack of Regulatory Guidance, FTC Authorized to Pursue Enforcement on Corporate Data Breaches

As if it’s not enough already, companies reeling from data breaches have more to worry about than angry customers, a tarnished brand, fixing their security lapses and the specter of civil lawsuits. A federal judge recently agreed that the Federal Trade Commission has the authority to regulate and police business cybersecurity practices, including bringing lawsuits against companies that suffer breaches that put consumer information at risk. In a lawsuit brought by the FTC against hotel operator Wyndham Worldwide Corp., the U.S. District Judge in New Jersey rejected Wyndham’s contention that the FTC didn’t have the authority to bring the suit. This closely-watched case should serve as an important warning for businesses on the issue of online security, says Cynthia Arends, a shareholder and commercial litigation expert with Nilan Johnson Lewis. “The FTC doesn’t have specific guidance for required online security practices – after all, how quickly would they become outdated?” says Arends. “But they do issue consent orders to companies that have resolved previous FTC allegations.” Besides developing strong online security protections, Arends recommends reviewing those consent decrees in order to understand what the FTC expects from the business community. “That can go a long way toward keeping the FTC from knocking on your door if a malicious party somehow manages to pick the lock.” For more information on this hot-button issue, contact Cynthia Arends at (612) 305-7525.