tadamichi - Fotolia

US court rules FTC can regulate corporate cyber security

Federal Trade Commission gets green light to pursue a lawsuit accusing hotel operator Wyndham Worldwide of failing to properly safeguard consumers' data

A US court has ruled that the Federal Trade Commission (FTC) has authority to regulate corporate cyber security, but a privacy protection firm says data security should already be a priority.

According to the appeals court ruling, the FTC may pursue a lawsuit accusing hotel operator Wyndham Worldwide of failing to properly safeguard consumers' information, reports Reuters.

The lawsuit relates to three breaches in 2008 and 2009 in which hackers broke into Wyndham’s computer system and stole credit card and other details of more than 619,000 customers, enabling fraud worth more than $10.6m.

The ruling comes as Toronto-based Avid Life Media prepares to face at least six lawsuits related to the compromise of its user databases, source code repositories, financial records and email system.

FTC chairwoman Edith Ramirez said in a statement that it is “critical” that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.

“While it’s great the US is taking steps to prevent companies losing sensitive consumer information, this should already be a top priority,” said Jason du Preez, CEO of Privitar.

“This decision is further support for the notion that companies need to take the way they manage and process sensitive data more seriously.”

Du Preez said that while the opportunities presented by big data analytics can be of enormous value to companies and their customers, the legal and ethical implications must be understood and respected.

Read more about data privacy

“After all, a data breach can have really serious financial or personal consequences for individuals and destroy consumer trust and loyalty,” he said.

According to Du Preez, companies should evolve data management practices and embrace a privacy-by-default approach to data security and privacy.  

“By ensuring that only essential data is visible in any given process, organisations can extract essential value from data while complying with the strictest standards for data protection,” he said.

“This data-centric approach effectively separates data utility from data identity and will allow companies to confidently use sensitive data to drive innovation without the fear of serious regulatory, legal or financial repercussions.”

Read more on Privacy and data protection