The Evolving Cyber Security Regulatory Environment

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://hospitalitytechnology.edgl.com/news/The-Evolving-Cyber-Security-Regulatory-Environment103908

The hospitality industry is an attractive target for criminals who want to
steal a valuable asset: data. However, the damage caused by a data breach
extends beyond theft. It can include, among other things, the impact on a
company’s reputation and lost consumer confidence. And even though the
company was itself the victim of the crime, the injury may be compounded by
regulatory action and penalties for failing to comply with privacy and
cyber security laws and regulations.


Since 2000, the Federal Trade Commission (the “FTC”), the agency tasked
with enforcing consumer protection laws, has positioned itself as the
principal federal agency regulating privacy and cyber security. The primary
statute relied upon by the FTC is Section 5 of the FTC Act, which contains
a very broad definition of unfair and deceptive acts or practices.  In
August 2015, the Third Circuit Court of Appeals affirmed the FTC’s
authority to regulate unfair and deceptive cyber security practices in
F.T.C. v. Wyndham Worldwide Corporation.

The Wyndham case stems from an FTC investigation following three separate
data breaches. Between 2008 and 2010, hackers gained access to Wyndham’s
network on three occasions, stealing payment card information from over
619,000 Wyndham customers. The theft resulted in more than $10.6 million in
fraudulent purchases. After investigating the breaches, the FTC filed suit
against Wyndham claiming that the company engaged in unfair and deceptive
business practices in violation of Section 5 of the FTC Act. The FTC
alleged that, among other things, Wyndham allowed its hotels to store
payment card information without encryption, failed to use readily
available security measures, such as firewalls, and failed to employ
reasonable measures to detect and prevent unauthorized access to its
computer network.

Following the ruling, the FTC issued a press release affirming its
continued enforcement activity: “[i]t is not only appropriate, but
critical, that the FTC has the ability to take action on behalf of
consumers when companies fail to take reasonable steps to secure sensitive
consumer information.”

The FTC is not the only agency enforcing privacy and cyber security laws
and regulations. Companies have to comply with a patchwork of federal and
state laws and regulations, as well as industry specific guidelines,
governing privacy and cyber security. The myriad of laws and regulations
creates a significant compliance challenge. One way to comply with the
complicated (and ambiguous) regulatory landscape is to identify standards
and best practices in the FTC’s publications and prior cyber security
related enforcement actions.

Be proactive when it comes to cyber security. Companies should regularly
conduct “data audits” to understand what information they collect, how they
collect it, where and how it is stored and transmitted, and who has access
to the data. A comprehensive audit will help companies identify any weak
links that criminals can exploit, as well as mitigate their enforcement
exposure vis-à-vis the FTC.

Assess and update policies and procedures on a regular basis. This includes
those that address network security, identity theft prevention, responding
to data breach incidents, use of personal devices for company business, and
social media. Cyber security policies should address both physical and
electronic security such as passwords, firewalls, and encryption, as well
as cultural security. Even the strongest firewall or password protocols
will not prevent a breach caused by an uninformed employee who, for
example, uses a compromised USB drive at work or posts a selfie from work
with confidential information visible in the background.

Review privacy policies. Every company that collects information about its
customers should review its privacy policy to confirm that it accurately
reflects the company’s cyber security. It is also appropriate to verify
that the privacy policy complies with applicable federal and state laws and
regulations, and that the privacy policy accurately reflects the company’s
actual procedures for collecting, storing, using, and disclosing data.

Secure data across all channels. The data that is at risk includes more
than credit card information or personally identifiable information. It can
include loyalty program account information, loyalty reward points,
recipes, and other confidential proprietary information. Accordingly, a
company’s cyber security protocols need to address strategies to defend
against theft and comply with an evolving regulatory environment.

Insurance coverage. Finally, with the emergence of niche cyber security
insurance policies, riders, and exclusions, it is important to review
existing insurance policies to verify coverage for data breaches in the
environment in which the company operates.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!