Security Experts: FTC Ruling On Breach Regulation Is Wake-Up Call To Focus On Data Security

A U.S. appeals court ruling this week that gave the Federal Trade Commission (FTC) some regulatory power to hold companies responsible for data breaches that are the result of security negligence should serve as a wake-up call to clients and solution providers to focus on data security measures, security experts said.

The appeal is part of a push by the FTC to hold Wyndham Worldwide responsible for multiple data breaches from 2008 to 2009 that compromised the credit-card data of more than 600,000 customers. The unanimous decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia this week said the FTC could move forward with its 2012 lawsuit that alleges the company misrepresented its security practices, and the failure to take adequate security steps was subject to FTC regulation, charges the corporation has said is "unfair."

As the pace of data breach frequency accelerates, with more than 98 reported already this year, the decision holds heavy implications for solution providers responsible for the data security of their clients, experts said.

[Related: Palo Alto Networks Channel Chief: We're Investing Big Time In Our Partners]

id
unit-1659132512259
type
Sponsored post

"It's not so much that FTC has at least been granted power ... but I think the bigger importance is the awareness of risk-based decisions being brought to the top," Sol Cates, chief security officer for San Jose, Calif.-based data security company Vormetric, said. "I do think that people will start waking up a little more about the need to data security in particular."

That wake-up call is particularly acute for solution providers themselves, Raven Data Technologies CEO Matt Johnson said.

"If you're an MSP or a solution provider whose client winds up getting breached and sued, the very next thing they're going to do is turn around and sue the solution provider," Johnson said. "It's going to open up a can of worms for solution providers."

A solution provider based in Reisterstown, Md., Raven Data Technologies has already launched a marketing campaign around the announcement, bringing awareness to customers about the growing importance of security solutions, and the rising implications of ignoring them.

"We're putting it together and talking to clients and potential clients," Johnson said. "It's not a scare tactic; it's more of an information awareness. I'm sure 99 percent of the people out there don't know about it because it was a pretty quiet thing."

Johnson said clients need to be aware that the aftermath of a breach is evolving, from the potential for fines and a reputation slam in the past to now facing the very real threat of a federal lawsuit. That is especially true for small and medium businesses, he said, who often shy away from the large investment needed to get security technologies up to par ahead of time.

Johnson said Raven Data Technologies is using this news to push the importance of a proactive security strategy, including data encryption, firewall, UTM, insider threat management and endpoint security.

Companies such as Lafayette, La.-based InfoTECH Solutions also were advertising their services on Twitter in response to the FTC ruling.

The FTC can punish organisations with poor cybersecurity now, but we can help.

/**/ /**/

The challenge going forward for regulation around data breaches, Vormetric's Cates said, is that the FTC has not yet set or chosen a standard that will serve as the "measuring stick" for security. While existing security standards from SANS, NIST and ISO 207001 pose good starting points, Cates said there is no "silver bullet" framework yet in place for organizations to measure themselves against.

"I think that there's still a lot of room for improvement around security frameworks. We still don’t have that measuring stick that everyone can put in place for their organization to say that they are a 'D' [grade] and they need to be a 'B,'" Cates said. "You have a gap here, and make sure you are talking apple and apples, not apples and oranges."

PUBLISHED AUG. 26, 2015