It has been held in the case of Federal Trade Commission v Wyndham Worldwide Corporation that failing to encrypt credit card information, or using passwords that are easy to guess for remote access to systems, is to be considered an unfair trade practice. The US appeals court confirmed that the Federal Trade Commission, under The Federal Trade Commissions Act 1914, has the authority to peruse companies that have inadequate cyber security.
In the case hackers breached the Wyndham Worldwide Corporations systems three separate times, the Federal Trade Commission sued alleging that the poor cyber security was an unfair trade practice. An example of the alleged unfair trade practice is that the username and password were both ‘micros’, it gets worse however when we learn that ‘micros’ is the name of the remote access software that was used.
With the recent leaks of personal data, such as the details of Ashley Madison users, cyber security has never been more paramount.
In the UK businesses should be aware of their legal obligations in relation to cyber security. The data controller of a business must comply with the Data Protection Act 1998, this includes the provision to inform the individual if the data is being processed by or on behalf of the data controller.
Businesses that are authorised by the Financial Conduct Authority have rules to follow. These include establishing and maintaining effective systems and controls, adequate risk management systems and strict reporting requirements.
The Privacy and Electronic Communications (EC Directive) Regulations 2003, provides that public electronic communications service providers must take appropriate measures to safeguard the security of their services. If there are any breaches the Information Commissioners Office must be notified.
If your business needs help understanding the legal and regulatory requirements of cyber security, then do not hesitate to get in contact with Lawdit.