"On the Hook" With the FTC: Companies can be Held Accountable for Inadequate CyberSecurity Programs
Articles & Publications
A company that fails to develop and maintain a reasonable cybersecurity program exposes itself to potential liability with the Federal Trade Commission. In today’s day and age, the risk of a cyberattack is well known, and no company can reasonably take the position that this risk is unforeseeable. Last week, a federal court addressed these very issues in an opinion which highlights the critical importance of cybersecurity. In FTC v. Wyndham Worldwide Corp.,2015 WL 4998121 (3d Cir. August 24, 2015), a federal appellate court held that a company which fails to maintain reasonable and appropriate data security to protect consumers’ sensitive personal information can be subject to liability for unfair business competition. The court’s decision reaffirms the authority of the FTC to take administrative actions against companies with deficient cybersecurity.
Notably, this case involved three separate cyberattacks against Wyndham in 2008 and 2009, and Wyndham was unaware of at least one of the attacks for two months, during which time the hackers had access to its network. The fact that Wyndham was, itself, a victim of cyberattacks does not immunize it from liability, and the occurrence of multiple attacks highlighted the purported inadequacy of Wyndham’s cybersecurity. The court also emphasized that Wyndham could not reasonably take the position that the risk of a cyberattack was unforeseeable.
It is abundantly clear that the failure to adhere to best practices or industry standards in the cybersecurity arena can detrimentally impact business. History shows that inadequate or non-existent cybersecurity can lead to liability, significant cost, as well as lost business. In some cases, a cyber event can even force a company to close its doors. Fortunately, there are steps that a company can take now to minimize the risk of a cyberattack. In addition to the development and maintenace of a cybersecurity program, best practices require corporations to develop an incident response plan that is triggered in the event of a breach. The involvement of legal counsel in this area is critical, in order to ensure the protection of the attorney-client privilege. The Wyndham case is a sobering reminder of the realities faced by companies in today’s current business climate.