The answer is no, of course. That would mean that even companies that fall to hackers despite using data security tools — like centrally managed data encryption software from AlertBoot — would feel the sting of the Federal Trade Commission (or, at least, fear it). And, as security experts note, when it comes to data breaches, it’s a matter of when, not if. Combine these two concepts and you have all companies potentially exposed to the FTC.
And yet, many news outlets report otherwise. For example, when I was reading up and posting on the FTC’s actions against Wyndham yesterday, I noted that (my emphasis):
Mind you, the story is making the rounds in business and computer IT / security sites as an “FTC lawsuit for data breaches.” Nothing could be further from the truth…at least, on paper.
Simply put, the FTC doesn’t have the power to sue companies for having a data breach. But, the Federal Trade Commission can definitely bring action for deceiving consumers.
Someone else must have caught on to this because today I ran across a Forbes article titled “Why the FTC has hackers’ victims in its crosshairs.” In it, the author notes that “most companies that fall victim to hackers never enter the F.T.C.’s crosshairs. As long as businesses have reasonable security measures, they can avoid punishment after even serious breaches.”
The article goes on to quote an FTC official:
“We have always said that it is not a violation to be hacked,” said Kristin Cohen, an attorney in the F.T.C.’s division of privacy and identity protection. “We can only go after companies that have misleading privacy policies — either they did something that was deceptive or unfair.”
Among other nuggets the article offers:
The FTC cannot levy financial penalties for “data protection cases.” (In quotes because it makes it sound like being fined for being hacked).
But, Congress is mulling whether the Commission should have the power to impose financial penalties. The FTC already has that power for other types of “corporate misbehavior.”
The Senate has already introduced such a bill.
The FTC has sued or settled with approximately 35 companies for misleading data security promises.
Related Articles and Sites: