In previous posts, I’ve explained how cybercrime is big business, and the criminals behind the illegal activity run sophisticated online companies. Today, let’s begin talking about how to defend your company against them. We’ll start with the Federal Trade Commission (FTC), the de facto data security and privacy enforcement authority in the United States.
Unfair or Deceptive Practices
The 1914 Federal Trade Commission Act did away with the concept of “caveat emptor” (or, “buyer beware”), in favor of a more consumer-friendly regime that requires sellers to operate at a higher standard.
The law states that “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45
Don’t let the simplicity of this law overshadow its broad power. It has been reimagined for our digital age to be applicable to the practice of cybersecurity.
And, if your website says you encrypt all personally identifiable information, you’d better do that.
To do otherwise, in either case, you could be found to have committed an “unfair or deceptive act.” And, since 2010, the FTC has sanctioned over sixty companies for lapses in cybersecurity. Big names, like Twitter and Petco, as well as smaller ones, like GMR Transcription. You can read all about each case on the FTC’s website, but here’s a summary of each one I’ve mentioned:
In its action against Twitter, Inc., the FTC alleged that the company gave almost all of its employees administrative control over Twitter’s system. According to the FTC’s complaint, by providing administrative access to so many employees, Twitter increased the risk that a compromise of any of its employees’ credentials could result in a serious breach.
In the complaints against Petco Animal Supplies, Inc., the FTC alleged that they failed to implement policies and procedures to safeguard consumers’ information.
And, in its complaint against GMR Transcription, the agency alleged that GMR’s data security practices were inadequate and resulted in transcriptions of audio files provided by GMR’s customers being indexed by a major search engine and made publicly available to anyone using the search engine.
Next week, we’ll dive into why the FTC says you need to practice reasonable cybersecurity and what that means to you.
Here are links to the entire series of blog posts on the Anatomy of a Hack