United States Federal Trade Commission (FTC) building in Washington, DC
Blood in the Water: How the FTC May Target Your Organization Next by Anna Ferry, Senior Writer and Editor at Mission Multiplier

Blood in the Water: How the FTC May Target Your Organization Next

There has always been a thin red line that has every company walks in regards to their dealings with the Federal Trade Commission (FTC), but several recent cases have led to there being blood in the water, and now the sharks are picking-up on the scent. A ruling regarding a case between the FTC and a medical company called LabMD has been making headlines recently, and every business, company, and organization needs to be warned that the FTC could be coming for you next.

LabMD, a now inoperative cancer testing company, won an appeals case against the FTC over accusations that the firm’s data security was inadequate and allowed the exposure of sensitive patient information. They did compromise the information of their patients by downloading a streaming software called LimeWire, which allowed over 10,000 people to access this sensitive information, but they argued that the FTC’s regulations regarding their cyber security practices were too vague to allow for prosecution. Their claim stems from the fact that the FTC’s arguments were based off of what LabMD wasn’t doing in terms of protecting their clients, instead of pointing out anything that they did wrong. LabMD pointed out that it is hard for them to assure that their security measures are adequate when the FTC has no standard or set regulations for them to follow. The court agreed that the FTC’s policies were too vague and said that, aside from the fines that the FTC had already imposed on LabMD, there would be no further prosecution from the FTC on this matter. Although LabMD did win their court case (and avoided paying several more million dollars to the FTC), they did lose their patients’ confidence in them and, ultimately, their business. The critical point that was made clear by this ruling, though, is that a breach in security doesn’t have to even occur, the FTC can prosecute an organization for just creating a potential breach. So, any business, big or small, is at risk of facing an FTC investigation, even if no information is even stolen; there just has to be an opportunity for someone to steal it and that is all the FTC needs to fine, prosecute, or even shut down a business.

Other widely covered cases such as the AshleyMadison.com case and the Wyndham Worldwide Corporation case, resulted in these businesses paying millions of dollars in fines and up to $40,000 a day for each additional violation discovered. Now, the LabMD hearing has every business owner wondering what’s next for the FTC? Their authority was not stripped from them with this ruling, it only forced the FTC to create a set standard that every business in America will have to follow. The FTC’s power has only grown since this ruling because now, instead of having lengthy hearings on a case by case basis, there is a clear checklist that they can evaluate businesses on, that will determine their innocence or guilt. The FTC is currently working on creating a more easily enforceable policy that gives companies concrete guidance on how to improve their cyber security. The FTC is also warning businesses across the nation that with their new regulations in place, they will be cracking down on cybersecurity and no company or organizations will be exempt from these rules. According to a former enforcer of compliance at the department of Health and Human Services, companies will now be required to work intimately with the FTC on getting into compliance with the new standards they’re setting. She also said that “the court has given the FTC the authority to specifically dictate the terms of required security measures for every organization and entity in the United States”.

The FTC, along with many of the nation’s leading cyber security experts, recommend that every business revamp their cyber security efforts in order to avoid paying the consequences. The most common measures put in place by businesses are two- factor authentication and adequate configuration of their firewall, but there are a few other ways to strengthen security within a business. Training employees to spot threats, scams, and breaches can be a huge help when it comes to in-house threat prevention. Another way to fortify your business’ sensitive information is to have your network penetration tested to see how easy it is for hackers to gain access to your information. One final measure your company can take is to continuously monitor your network with the use of vulnerability scanners. These scanners monitor your network and test it for any weaknesses. The most useful thing about these scanners is that they constantly update and reevaluate their findings so you can make sure your business is always covered and your security regulations are always up to date.

To avoid fines and prosecution, it is highly recommended that each organization does frequent and random cyber security evaluations for their business in order to determine the effectiveness of their policies and efforts. Whether cybersecurity is an in-house effort or you need to enlist the help of cybersecurity professionals externally, every business should be warned that the FTC is out for blood after its new regulations are written, which according to them, is in the very near future.