Regular readers know that I recommend every type of organization protect itself against data breaches, not just those operating under regulatory mandates. There has long been an argument that modern legislation such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) offer sufficient protections to businesses and consumers, hence it probably came as a shock to global hotel company, Wyndham Worldwide Corp, when they were sued by the Federal Trade Commission (FTC) under Section 5 of the Federal Trade Commission Act of 1914. According to documents filed in the District Court in Arizona in 2012, Wyndham engaged in “unfair and deceptive acts and practices” when, between 2008 and 2010, data breaches of Wyndham systems led to the release of over 600,000 Wyndham customers’ personal data. When you dive down into the weeds, Wyndham was accused of failing to use firewalls, failing to address known security vulnerabilities on servers, using “default” user names and passwords to access servers, failure to limit third party access, and so on. Pretty damning accusations I know, but what business was it of the FTC? Interestingly, when the case was heard by the U.S. Court of Appeals for the Third Circuit in Philadelphia a few days ago, lawyers representing Wyndham challenged the authority of the FTC in an area where there already exists “a less extensive regulatory scheme” – meaning the Fair Credit Reporting Act, HIPAA etc. The three appeal court judges sided with the Federal Trade Commission agreeing that it has the authority to regulate corporate cyber security. Thus, at least for the time being, until Congress adopts more wide-ranging legislation governing data security, the FTC has the green light to pursue organizations that they deem liable for data breaches that cause harm to consumers. In this age of constantly changing threats, businesses should not be waiting around to find out if they’ll be retrospectively fined by the FTC, or if congress will eventually get around to adopting more wide-ranging legislation governing data security. Instead they should be taking immediate action to protect corporate and client data, not only to protect from liability, but also to protect their brand images from the negative exposure of headline news. Zix is the leader in email data protection. Find out about Zix secure solutions here.