Many referred to 2014 as the "Year of the Breach." Yet, the number of people whose data was breached in 2015 exceeded that of the previous year. The U.S. Government's Office of Personnel Management, CVS and T-Mobile are just a few of the larger-scale victims. And the bad news is there is no end in sight - anywhere in sight. We can be sure that these attacks will continue in all shapes, sizes and categories. No one is immune.
How do we plan to regulate these cases? What should organizations be compelled to do in order to protect the sensitive information they store? And what should be the expected consequences when these organizations do not go far enough to protect consumer data?
Two cases currently in the headlines could help us understand how compliance regulations and policing of security negligence will evolve over the coming year.
The Federal Trade Commission will aggressively pursue its cybersecurity authority
Having already scored a major victory in the federal Third Circuit against Wyndham Corporation in August 2015, the Federal Trade Commission (FTC) recently faced its first setback. In November, a complaint the FTC filed against LabMD criticizing its lax cybersecurity practices was dismissed by the FTC's chief administrative law judge. When the court's decision became public, some stories began touting the dismissal as a major setback, but that assessment may be premature.
The Wyndham decision supported the FTC's ability to broadly institute cybersecurity requirements pursuant to the agency's authority to prevent "unfair or deceptive practices." The LabMD case did nothing to change that ability. The complaint in LabMD was dismissed due to the FTC's inability to sustain its burden of proof because its key witness had a serious conflict of interest. The administrative judge never ruled that the FTC was unable to bring the action against LabMD; the organization just failed to prove it.
The FTC has already announced it is appealing the judge's dismissal. In the 100-year history of the FTC, it has never lost an appeal to the Board of Commissioners. Should the dismissal of the complaint be overturned by the Board, the case could continue through the "regular" court system. (Incidentally Wyndham recently reached an agreeable settlement with the FTC.)
New European Union privacy rules rattle industries worldwide
In October 2015, the European Union (EU) Justice Court abolished a Safe Harbor agreement that existed for 15 years between the EU and the U.S. in its decisionentitled Schrems v. Data Protection Commissioner. News reports estimate about 4,500 businesses have been affected. The agreement had allowed American companies to annually self-certify to the U.S. Department of Commerce that they were in compliance with the data privacy requirements in the 28 Member States that comprise the EU.
Sign up for CIO Asia eNewsletters.