What Are the Federal Government’s Standards for Cyber Security?

The U.S. Federal Trade Commission (FTC) can now take action against companies failing to protect customer data, according to a recent decision by the U.S. Court of Appeals for the Third Circuit. The important point to note about this headline is that the federal government has not set actual standards for cyber security. Therefore, it is almost impossible to tell how companies will be evaluated.

In three separate data breaches between 2008 and 2010, hackers allegedly stole more than 619,000 credit and debit card numbers from Wyndham Worldwide Corp. This recent court decision claims Wyndham should have had a thorough understanding of the FTC’s cyber security standards at the time of the breaches. FTC Chairwoman Edith Ramirez said, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” With little information to determine what the FTC determines to be “unreasonable cyber security practices,” the commission’s future cyber security policing could raise a number of questions. Sequel will continue to follow these developments, but in the meantime, Computerworld, Bloomberg BNA and the Wall Street Journal have all covered the Third Circuit’s decision.