The Third Court of Appeals upheld the Federal Trade Commission's decision to sue Wyndham Worldwide for at least three data breach incidents that occurred between 2008 and 2010. The incident exposed more than 600,000 consumer payment card account numbers and led to more than $10 million dollars in fraud loss, according to the FTC complaint. Wyndham Worldwide had challenged the FTC complaint in an appellate court, saying the FTC was over-reaching its authority, however lost the appeal in a 3-0 vote. The unanimous ruling is important, because it shows the government is taking bold steps toward holding data custodians accountable for the data in their care, and the courts are agreeing with them.

The Wall Street Journal blogged about this, and put a call out to CIOs to be careful about how they handle data security. “CIO[s] should act defensively to mitigate the company's exposure to claims by the FTC and other government regulators” states the authors.

The article mentions several important points:

  • Compliance with NIST Cyber Security Framework. The National Institute of Standards and Technology Cyber Security Framework is guidance, based on existing standards and good security practices, to better mange and reduce organizational risk. This is becoming an implied de facto standard for cyber security. The challenge for organizations is determining the relevance and how to implement the more than 350 recommendations in the NIST CSF.
  • Updating of data and privacy policies. Even if your company has data security polices, when were they last reviewed and revised to include defense against the most recent threats? Any organization that handles HIPAA data or PCI data is required to do ongoing reviews to ensure their security measures are current and compliant, and may be required to demonstrate this to auditors.
  • Report by respected third-party consultant. A security assessment is a key step in understanding your organization's level of readiness and maturity. It reveals security gaps, the associated risks, and can help organizations factor high-impact investments into their future business plans. Annual security assessments from respected security consultants can help your organization adapt to new threats, increase employee awareness, and assist in the formulation of a strong security strategy.

The government is getting serious about the seriousness of data breaches. The gap between what is required for protecting data and the knowledge of organizations to implement this is widening. As data continues to grow, and more rules are passed on how it is to be governed, this gap, and the accompanying fines, will become tantamount issues for enterprises to manage.

Rapid7's Global Services organization has experience in all of these areas, and partners with clients to assess organizational security maturity, provide recommendations and advice on how to address gaps in security processes and procedures, and can assist in the development of security programs and policy. These engagements help clients reduce their security risk though the delivery of robust, repeatable and easily governed processes.

I am happy to answer any questions you might have regarding security maturity, cybersecurity frameworks, or a host of other information security services. Please feel free to contact me @JoelConverses on Twitter or Skype. I look forward to chatting with you!

- Joel Cardella