Cybersecurity and cybersecurity breach are difficult topics to discuss with clients because of the unknown variants and for their simple trepidation toward addressing the vulnerabilities and investing the capital for prevention and training. From internal planning involving establishing a process to addressing external intrusion possibilities they tend to be cumbersome for a company’s administration to put their arms around. A detailed internal security program addressed to all employees followed by focused training is initially a critical step. After that, it depends on the individual company’s diligence to monitor its employee’s practices and evaluate their compliance, to ensure some level of data security integrity. Such monitoring and testing should be chronicled reporting what measures were taken to rectify missteps and improvements.
Companies are realizing that their process will not only be scrutinized, upon a cyber security incident, by customers but it will be scrutinized as well by the Federal Trade Commission. Whether it’s their authority to scrutinize advertising that could be deemed deceptive, to protecting the privacy of children information under Children’s Online Privacy Protection Act (COPPA) Rule, the FTC will most likely pursue a claim upon a data integrity incident. The world famous hotelier Wyndham experienced a lawsuit filed by the FTC against it for data breach. Wyndham experienced external sourced intrusion by hackers who were able to retrieve financial information of Wyndham customers as well as personal information. It was assessed that the breach totaled approximately $10m in credit card fraudulent charges.
Throughout the three years of litigation Wyndham did not admit to have violated the law. Yet, they entered into a stipulation and injunction listing criteria addressing the FTC’s concerns. The remedial efforts appear to be routine best practices and comprehensive at most. Among the list of items that Wyndham proposed and was agreed to by FTC, without admitting fault, were the establishment of a written security information program, designation of individual[s] tasked to oversee the program, set standards in selecting vendors’ credit card processing and safeguarding process, take inventory of critical personal and financial collected information, and to frequently evaluate the program and note changes in implementation to enhance the program. The comprehensive list of criteria was also noting a stipulation that Wyndham has to provide annually to the FTC evidence of its compliance with PCI standards (Payment Card Industry Data Security Standard).
The take away from this case is that despite the unknown with respect to anticipating a cyber intrusion incident and being able to forestall an attempt, devising a program addressing the key points regarding confidential information and financial information of customers is critical. Obviously any company could have established a program but was not diligent in assessing its ability for enhancing the company’s awareness of an incident, nor was it diligent in noting its changes, if any. Having a plan, assessing vulnerabilities, taking inventory of protected information, and identifying steps to address or correct, is fundamentally a basic approach that every company should take.