I have a client who runs a hundred-person company that recently suffered a data breach. His systems were hacked, and both customer and employee data was taken from his internal server. Not only that, but the hacker left a "crypto-locker" virus that effectively disabled his entire network. The poor guy was down for almost a week before he caved, paid a $500 ransom (in bitcoins, no less), and got the code to reenable his network and get his data files back. It was an experience that he never wants to repeat.
And yet, those hackers could be the least of his problems. A recent court decision could set the U.S. government after him too.
According to a U.S. appeals court ruling last week, the Federal Trade Commission has authority to regulate corporate cybersecurity. The case had to do with a data breach at Wyndham hotels, where more than 619,000 consumers were affected, leading to more than $10.6 million in fraudulent charges. "Noting the FTC's broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, circuit judge Thomas Ambro said that Wyndham failed to show that its alleged conduct 'falls outside the plain meaning of 'unfair.'" The FTC was elated. "It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," the agency's chairwoman said.
Are you taking "reasonable steps to secure sensitive consumer information"? I certainly hope so. If not, the U.S. government can now come after you.
The ruling opens up the door for the government to come down hard on any business in which consumers are subject to "unfair and deceptive trade practices." That definition has been stretched to include consumers' data on companies' servers. So if you are found to be at fault for not taking the right measures to secure your customers' data, particularly credit card data, then your company could be liable to big penalties from the FTC. In the wake of recent high-profile data breaches, such as the Ashley Madison site's, and many others, including at Harvard University and Anthem Insurance, cybersecurity has become an issue that Washington feels the need to do something about. Anything. This is the government, by the way, that had its own servers hacked countless times over the past year alone.
But let's not dwell on that. Instead, we need to take action. And as a technology consultant, I am recommending that my clients do the following:
One, move as much of your operations to the cloud as possible. The companies that host databases and operations are certainly far from perfect. But they still have more resources, talent, and knowledge to provide the best security infrastructure for your data. It's their business model. Your agreement with them does not have to sacrifice the control you have over the data. To a certain degree, you can hold them accountable for the proper protection of it. And you can say to the world (or the FTC) that you are taking the right steps to ensure that you are not being "unfair" or "deceptive" with your customers' important information, because you're letting the best people secure it.
Two, get insurance. Many insurance companies that cater to businesses (example: The Hartford) offer protection against data breaches. The coverage is not very expensive and easy enough to add on to your existing policies. This is a new field, so your choices will vary. Talk to your insurance agent to see what coverages are available to protect you from disruptions and liabilities.
Finally ... wait. In his ruling, Judge Ambro also rejected what he called Wyndham's "alarmist" argument that letting the FTC regulate its conduct could give the agency effective authority to regulate hotel-room door locks, or sue supermarkets that fail to sweep up banana peels. I'm kind of on Wyndham's side here. And I'm betting most other business owners would agree. I don't think this case is over, so let's see how far up the judicial ladder it goes.
What about my client? He's back in business. He's apologized to his customers, and he's now looking into cloud-based providers for his data. Let's just hope the FTC doesn't come down on him too!
A version of this blog originally appeared on Inc.com.