"On the Hook" With the FTC: Companies can be Held Accountable for Inadequate CyberSecurity Programs
A company that fails to develop and maintain a reasonable cybersecurity program exposes itself to potential liability with the Federal Trade Commission. In today’s day and age, the risk of a cyberattack is well known, and no company can reasonably take the position that this risk is unforeseeable. Last week, a federal court addressed these very issues in an opinion which highlights the critical importance of cybersecurity. In FTC v. Wyndham Worldwide Corp.,2015 WL 4998121 (3d Cir. August 24, 2015), a federal appellate court held that a company which fails to maintain reasonable and appropriate data security to protect consumers’ sensitive personal information can be subject to liability for unfair business competition. The court’s decision reaffirms the authority of the FTC to take administrative actions against companies with deficient cybersecurity.
Notably, this case involved three separate cyberattacks against Wyndham in 2008 and 2009, and Wyndham was unaware of at least one of the attacks for two months, during which time the hackers had access to its network. The fact that Wyndham was, itself, a victim of cyberattacks does not immunize it from liability, and the occurrence of multiple attacks highlighted the purported inadequacy of Wyndham’s cybersecurity. The court also emphasized that Wyndham could not reasonably take the position that the risk of a cyberattack was unforeseeable.
It is abundantly clear that the failure to adhere to best practices or industry standards in the cybersecurity arena can detrimentally impact business. History shows that inadequate or non-existent cybersecurity can lead to liability, significant cost, as well as lost business. In some cases, a cyber event can even force a company to close its doors. Fortunately, there are steps that a company can take now to minimize the risk of a cyberattack. In addition to the development and maintenace of a cybersecurity program, best practices require corporations to develop an incident response plan that is triggered in the event of a breach. The involvement of legal counsel in this area is critical, in order to ensure the protection of the attorney-client privilege. The Wyndham case is a sobering reminder of the realities faced by companies in today’s current business climate.
- PROFESSIONAL LIABILITY CLIENT ALERT: Pennsylvania Mulls Repeal of Medical Malpractice Venue Restrictions; Both Plaintiff and Defense Bars Claim Victory From Study
- Illinois Fourth District Appellate Court Overturns Asbestos Verdict Based On Lack Of Causation
- CYBER RISK CLIENT ALERT: The Constitutional Argument Against BIPA
- CYBER RISK CLIENT ALERT: The SHIELD Act Requires Corporations to Implement Cyber-Security Measures
- New Michigan DIFS Order Raises More Questions for Auto Insurers
- Proposed Hours of Service Rules: Balancing Safety and Economy
- Ninth Circuit Holds BIPA Class-Action Plaintiffs Have Article III Standing
- PROFESSIONAL LIABILITY CLIENT ALERT: Attorney Liability Under the FDCPA
- Five Words & Phrases Defense Attorneys Should be Mindful of in Trucking Litigation
- CYBER RISK CLIENT ALERT: BIPA Cutbacks Stalled in Springfield - For Now.
- Professional Liability
- Class Action
- Complex Commercial Litigation
- Insurance Coverage
- Insurance & Reinsurance Litigation & Counseling
- Cyber Risk & Liability
- Toxic Tort
- Professional Development
- Social Media & Privacy
- Workers' Compensation
- Medical Negligence & Healthcare Liability
- Pharmaceutical & Medical Device Litigation
- Product Liability
- Construction Litigation & Counseling
- Employment Litigation & Counseling
- Discrimination, Harassment & Hostile Workplace Claims