Fear the data breach. Companies large and small worry that a security lapse compromising personal information may hurt their customers or employees and expose the organization to costly liability and a damaged reputation. But recent developments suggest that comfort may still be found in keeping privacy promises and keeping up with “reasonable security” best practices.
This week’s $11.2 million settlement of the Ashley Madison class action is a reminder that companies handling potentially sensitive personal information can pay a heavy price for lax security. Of course, in that case there were allegations of “deceptive” as well as “unfair” practices under FTC Act section 5(a), since the company, for example, charged a fee for deleting data from closed accounts and then failed to do so. See the Bloomberg Law article (in which I’m quoted). But this follows last month’s $115 million proposed settlement of consolidated class actions against Anthem, Inc. after the first of a wave of cyberattacks against large health insurance companies in 2015 and 2016. In such cases, liability generally comes down to a simple question of keeping up with reasonable security measures, not a failure to keep specific privacy promises. These cases demonstrate that this effort is a real challenge even for large organizations with substantial in-house IT resources.
The Federal Trade Commission has handled more than 60 complaints and consent orders concerning data breaches exposing sensitive personal data. Its “Start with Security” guide offers ten practical principles for businesses handling personal information. Today, the FTC announced that it will publish a weekly blog post on Fridays over the next few months called “Stick with Security” to offer insights drawn from the FTC’s experience with data breach investigations. The first post explains how the FTC chooses to take enforcement action in the case of some publicized breach incidents and not others.
Good summer reading for a few minutes on Fridays. Beach blanket optional.