The Federal Trade Commission’s effort to force businesses to take reasonable precautions to protect their clients’ sensitive personal information from data breaches is back in the news this week, as is at least one big, new data breach. What the FTC does, and what it tries to get businesses to do, about cybersecurity, should be important to everyone. Sooner or later, it seems, any business could have their customers’ data stolen and face FTC charges as a result.
Why you should pay attention: EBay just announced a large data breach. According to an article published in the Seattle Times on May 21, 2014, hackers stole some of the company’s employees’ log-in credentials and used them to gain access to EBay’s corporate network, which includes customers’ names, addresses, dates of birth, and encrypted passwords. It happened between late February and early March 2014 but was discovered only two weeks ago. EBay said there was no evidence that any of its customers were harmed by the breach. They did, however, ask each of their active users to change their passwords. To put it into perspective, they reportedly have 145 million active users. There might not be any damage, but it is a big deal.
What you should pay attention to: The latest FTC enforcement action to make the news is the administrative law trial of the medical testing company, LabMD, Inc. The FTC has alleged that its lax security measures exposed, and compromised, the private information of almost 10,000 customers. One of the main issues, according to a report in the May 20, 2014 National Law Journal by Jenna Greene, is whether the FTC overstepped its bounds by bringing the charges.
The FTC’s effort to enforce what amounts to a “reasonable precautions” cybersecurity standard is not new. As we noted a few weeks ago, in a separate case the FTC brought against Wyndham Worldwide Corp, Federal District Court Judge Esther Salas on April 7, 2014, upheld the Federal Trade Commission’s right to police corporate cybersecurity practices under its authority, pursuant to Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a), to prohibit unfair or deceptive acts or practices in, or affecting, commerce.
The Wyndham case was interesting because it involved hundreds of thousands of people who allegedly had their debit and credit card information stolen because they did something everyone does: pay for a hotel room. The LabMD case might be a lot smaller, but there was a lot more at stake.
LabMD did more than merely expose the personal financial information of its customers; it allegedly exposed their confidential medical information as well, according to the FTC’s August 29, 2013 press release. These allegedly included the results of medical tests, including for cancer, according to the National Law Journal Report. Those medical records make the case important.