No matter how much a company spends in money and resources for cyber security, there is always the risk that the system will be hacked. Now, a decision by the Third U.S. Circuit Court of Appeals has confirmed that in the event of such an Information Technology System hack, the U.S. Federal Trade Commission has authority to investigate the company and charge it with unfair trade practices for failure to protect customers from the theft of on-line data.
The FTC has been routinely filing and settling such claims for years. Among potential claims by the FTC are claims that the firewalls were insufficient, the cybersecurity software was antiquated, and that proper data security procedures were not implemented or followed. If the FTC files a claim, in addition to reputational damage, a company can be subject to expensive fines and there is a heightened risk that the FTC claim will encourage class action lawsuits.
In view of these potential risk factors, a CIO should act defensively to mitigate the company’s exposure to claims by the FTC and other government regulators. Admittedly, some procedures which a company may implement to reduce the risk of a claim by the FTC after a cyberattack may appear to be aimed at “optics.” However, documenting compliance with cybersecurity safety standards is potentially as important to the bottom line as the compliance itself. In addition to actually having in place the most up-to-date practical anti-hacking software, a company needs to be able to demonstrate the way in which it has protected private customer information in order to dissuade the FTC from taking action, and to protect its officers and directors from class action lawsuits following an FTC complaint. Some defensive steps to be considered are as follows:
- Compliance with NIST Cyber Security Framework. The National Institute of Standards and Technology has issued a “Framework for Improving Critical Infrastructure Cybersecurity,” which is becoming a de facto standard of cybersecurity for U.S. regulators. The Framework is the equivalent of a GAP analysis, with a company setting up its own profile. If a company can demonstrate to the FTC that it has implemented the Framework, it may help to persuade the FTC that there are no grounds to file a complaint.
- Updating of data and privacy policies. Every company has a data privacy and security policy. However, many of those policies may have been written several years ago and may not reflect recent standards and practices. A company should regularly update those policies to comply with the most recent cybersecurity requirements.
- Report by respected third-party consultant. Virtually every major information technology consultant now has a cybersecurity practice. Although it is an added expense, and its worth may only be demonstrated if a hack is uncovered, a CIO should retain a respected consultant to perform an annual data security review, should update the company’s security to comply with the report’s recommendations and obtain from the consultant a report confirming that the company has implemented the most current anti-hacking processes and protections.
- Risk manager involvement. The CIO should actively coordinate with the company’s risk managers, so that they too document the company’s compliance with the most recent protective steps for cyber security.
- Cybersecurity insurance. Cybersecurity risks are often not included in a commercial general liability insurance policy. The CIO should review the company’s cybersecurity policy to ensure that it provides the necessary coverage in the event of a hack and subsequent regulatory and legal action by the FTC and others.
Richard Raysman and Francesca Morris are partners in the New York law office of Holland & Knight.