CIOReview CIOReview
Women In Tech Review
  • Home
  • Technology
    • Agile
    • Agtech
    • Artificial Intelligence
    • Audiovisual
    • Augmented & Virtual Reality
    • Aviation
    • Big Data
    • BlockChain
    • Cloud
    • Content Delivery Network
    • Data Analytics
    • Data Integration
    • Data Visualization
    • DevOps
    • Digital Transformation
    • Digital Twin
    • Drone
    • Enterprise Architecture
    • FinTech
    • Gaming Tech
    • High Performance Computing
    • Internet Of Things
    • Latin America
    • Machine Vision
    • Mainframe
    • Mobile
    • Networking
    • Predictive Analytics
    • Quantum Computing
    • Remote Work Tech
    • Robotics
    • RPA
    • Scheduling Software
    • SDN
    • Security
    • Simulation
    • Smart City
    • Software Testing
    • Storage
    • Tech African
    • UAE
    • Video Surveillance
    • Virtualization
    • Web Development
    • Wireless
  • Industry
    • Automotive
    • Banking & Insurance
    • Biotech
    • Capital Markets
    • Casino
    • Chemical & Allied
    • Construction
    • Consumer Packaged Goods
    • Contact Center
    • Defense
    • E-Commerce
    • Education
    • Energy
    • Food
    • Healthcare
    • Law Enforcement
    • Legal
    • Logistics
    • Manufacturing
    • Marine
    • Media & Entertainment
    • Metals & Mining
    • Naval Tech
    • Non Profit Technology
    • Oil & Gas
    • Pharma & life sciences
    • Proptech
    • Public Sector
    • Retail
    • Sports
    • Tech Startup
    • Telecom
    • Textile & Apparel
    • Travel & hospitality
    • Utilities
  • Platforms
    • Adobe
    • Amazon
    • Cisco
    • Dassault Systemes
    • Dell
    • Google
    • HPE
    • HubSpot
    • IBM
    • Infor
    • Magento
    • Microsoft
    • NetApp
    • NetSuite
    • Oracle
    • Red Hat
    • Sage
    • Salesforce
    • SAP
    • VMware
  • Functions
    • Compliance
    • Contract Management
    • Corporate Finance
    • Environmental Health And Safety
    • GDPR
    • Human Resource
    • Marketing
    • Procurement
    • Sales
    • Supply Chain
  • Conferences
  • About Us
Go to...

    I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

    • Home
    • Legal

    Emerging Tech Challenges in Legal: Data Insecurity as an Unfair Business Practice

    By Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

    Join With Our Contributor Network

    On progress..
    Success! Thanks For Joining With Our Contributor Network.
    You Have Already Joined With Our Contributor Network
    Sorry! Something went wrong. Please try again.
    Emerging

    Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

    CIOs should be aware of a recent Third Circuit appellate decision which affirms the Federal Trade Commission’s (FTC) authority to prosecute enterprises which fail to adopt reasonable data security measures. While many states have laws about data breach on the books already, the prospect of increasing regulatory action on the part of the FTC significantly raises the legal stakes.

    On August 24, 2015, the Third Circuit’s appellate court upheld a 2014 district court decision which said that the FTC has the authority to hold companies responsible for failing to use reasonable security practices as an unfair business practice and, that failure to adopt reasonable security measures creates substantial injury to consumers which consumers cannot reasonably avoid themselves (FTC v. Wyndham Worldwide Corp.). The appellate decision is a major win for the FTC. In a press release following the appellate court decision, FTC Chairwoman Edith Ramirez said, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

    FTC alleges that Wyndham caused significant consumer harm writing in its complaint that: “Defendant’s [Wyndham] failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendant’s security failures led to fraudulent charges on consumer’s accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information.”

    Though the case against Wyndham has not been finally adjudicated, FTC has broad enforcement powers it can use against Wyndham should the FTC prevail. For example, in the In re Snapchat (2013) settlement, FTC entered into a consent order and proposed settlement agreement under which Snapchat is subject to twenty years of privacy audits, and prohibited from making false claims about its privacy policies. Because FTC publicly discloses the existence and nature of regulatory enforcement against specific enterprises, the prospect of credibility loss is perhaps the FTC’s strongest weapon. In addition, given the precedential nature of the Wyndham decision, generations of law students may come to associate Wyndham with the case which settled the question of whether or not the FTC has the authority to regulate data security practices.

    What is a “Reasonable Security Practice”?

    The Third Circuit appellate court also held that the FTC's recent enforcement actions give ample notice of what constitutes an inadequate security program and, by inference, some indication of adequacy. The Wyndham complaint reads as a laundry list of what not to do. Among other things, FTC alleges that Wyndham: (i) stored credit card information in clearly readable text, (ii) permitted the use of easily guessed passwords, (iii) failed to use reasonable measures to protect against attack, such as firewalls, (iv) failed to implement adequate policies and procedures (such as permitting the network to be accessed using an out-of-date operating system, (v) permitting individual hotel servers to connect to Wyndham’s network through default passwords and IDs which were easily discoverable by hackers, and (vi) insufficiently restricting third party access to the Wyndham network, etc.

    To demonstrate that they have reasonable security practices in place, enterprises must understand what software’s are used throughout the organization, how it is used and constantly monitor code for potential vulnerabilities. In addition, CIOs should consider working more closely with their internal procurement organizations to identify secure code during the sourcing process.

    Is Some Code More Secure than Others?

    A traditional argument in favor of the use of open source software has been that open source is more secure than proprietary code. In theory, more eyeballs on open source software should result in fewer bugs and less potential for the inclusion of security vulnerabilities but 2014 was an awakening for the open source community in terms of software security— think Heartbleed and Shellshock. Heartbleed remediation was a logistical nightmare for enterprises which lacked visibility into the open source used in their infrastructure.

    "The Federal Trade Commission (FTC) has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information"

    Today, the open source community is putting more emphasis on security in open source code and the ability to demonstrate that open source code is secure. But at an August 2015 Linux Foundation event (LinuxCon) in Seattle, Linus Torvalds, the driving force behind the Linux kernel and its chief architect struck a sobering note on the subject of cyber security. In his keynote, Torvalds said, “Security is bugs, completely stupid bugs that some clever person comes around and takes advantage of. We'll never get rid of bugs so security will never be perfect.” Torvalds continued “Open source is doing fairly well, but anyone who thinks we'll ever be completely secure is foolish."

    Lulling Consumers into a False Sense of Security

    It is a settled legal question that the FTC can prosecute enterprises which mislead or deceive consumers. Snapchat’s claim that user photos and videos that would self-destruct permanently after the recipient viewed them when in fact, Snapchat images were not actually deleted from users’ phones, is the deceptive practice which lead to a twenty year requirement of privacy reviews.

    Similarly, the FTC brought a claim for deceptiveness based on the Wyndham privacy policy because Wyndham’s policy claimed the company safeguards, “Our Customers information by using standard industry practices” and “We make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations”.

    As privacy policy review is a continuing theme in FTC enforcement actions and a ready source of deceptive claims, enterprises should avoid over-promising or misleading consumers regarding data security practices.

    It will be interesting to see what claims the FTC might bring against Ashley Madison in light of recent events.

    Three Takeaways:

    1) Work with your supply chain to source secure code.

    2) Track all code in your infrastructure both open and proprietary.

    3) Don’t over-promise in a privacy policy.

    See Also:

    Top Legal Technology Companies

    Top Legal Tech Consulting Companies

    On The Deck

    • IT Service Management

      2018-07-03

      #
    • Mobile Application Special

      2018-05-15

      #

    Editor's Pick

    • Challenges that Compliance Officers face Today
      Challenges that Compliance Officers face Today

      By Samantha-Anne Horwitch, General Counsel/Chief Compliance and Human Resources Officer, Citelum

    • Benefits of Having NetSuite ERP for Business
      Benefits of Having NetSuite ERP for Business

      By CIOReview

    • Simplify ASC Completes Its Acquisition of PhyBus RCM
      Simplify ASC Completes Its Acquisition of PhyBus RCM

      By CIOReview

    • Red Hat Acquires StackRox, a Validation of Its Approach to Container and Kubernetes Security
      Red Hat Acquires StackRox, a Validation of Its Approach to Container and Kubernetes Security

      By CIOReview

    • CVC Capital Partners Fund VII Signs an Agreement to Acquire STARK Group
      CVC Capital Partners Fund VII Signs an Agreement to Acquire STARK Group

      By CIOReview

    • Dave West and Irving Tan Joins Cisco
      Dave West and Irving Tan Joins Cisco

      By CIOReview

    • Cultivating an Inclusive Workplace
      Cultivating an Inclusive Workplace

      By Wanda Brackins, Head of Global Diversity, RBC Wealth Management, A Division of RBC Capital Markets, LLC, Member NYSE/FINRA/SIPC

    • A Proactive Risk Approach in Uncertain Times
      A Proactive Risk Approach in Uncertain Times

      By Annie Delgado, Chief Compliance Officer, Upstart

    • Best Practices for Easing Traceability through Technology
      Best Practices for Easing Traceability through Technology

      By Dayna Nicholas, Director of Quality & Regulatory Affairs, Land O'Frost

    • Innovations Triggering the Creation of Energy 4.0
      Innovations Triggering the Creation of Energy 4.0

      By CIOReview

    Copyright © 2021 CIOReview. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy Policy       |       Disclaimer