In 2015, it became clear that companies should not only worry about the havoc a cyberattack can wreak on their business, but also the regulatory power the Federal Trade Commission holds. On August 24, a panel of judges of the 3rd Circuit U.S. Court of Appeals ruled that the FTC’s lawsuit against global hospitality company Wyndham Worldwide Corp. for alleged data security failures should be allowed to move forward.
According to Modern Healthcare, in the lawsuit, the FTC alleges that Wyndham engaged in “unfair cybersecurity practices that exposed consumers’ personal data to unauthorized access and theft” and that the hotel chain’s “policy on privacy was deceptive.” The lawsuit came after three separate hacking incidents of Wyndham’s computer systems that led to consumers’ information being stolen and more than $10.6 million in fraudulent charges. The court opinion also noted that in the FTC’s guidebook for businesses, the FTC offers advice on how to protect personal information, which Wyndham did not follow.
The panel of judges said Wyndham had fair notice its cybersecurity practices might violate the FTC’s prohibition against unfair or deceptive acts affecting commerce. Since 2002, the FTC has brought more than 50 cases against companies that have engaged in unfair or deceptive practices that put consumers’ personal data at unreasonable risk. This court decision affirms the FTC’s power to regulate cybsersecurity.
Cost of data breaches at new record high
The FTC lawsuit comes only months after the Ponemon Institute’s 2015 Cost of Data Breach Study found that data breaches cost companies an average of $217 per compromised record, a record high since the study’s inception 10 years ago. More than 60 percent of this loss comes from indirect costs, including abnormal turnover of customers.
Although it is increasingly clear that every industry is vulnerable to a cyberattack, certain industries suffer higher data breach costs and are more vulnerable to an abnormal turnover of customers. Heavily regulated industries, including health care, financial, energy and education, tend to incur a loss substantially higher than the average $217 per compromised record; in health care instances, it’s almost twice the cost. Similarly, financial, health, technology, pharmaceutical and services organizations experience a relatively high customer turnover. These industries could significantly reduce the costs of data breaches by emphasizing customer retention and initiatives to preserve reputation and brand value.
Factors that influence the cost of a data breach
Almost half of data breaches are caused by malicious or criminal attacks against a company rather than a system glitch or human error. Malicious attacks also are the most costly root cause, incurring companies a loss of $230 per compromised record, significantly more than the average $217. The Ponemon study found that certain factors can reduce the cost of a data breach up to 10 percent. These factors include having an incident response plan in place, extensive use of encryption, involvement of business continuity management, the appointment of a chief information security officer, employee training, board-level involvement and insurance protection.