APAC CIOOutlook

Advertise

with us

  • Technologies
      • Artificial Intelligence
      • Big Data
      • Blockchain
      • Cloud
      • Digital Transformation
      • Internet of Things
      • Low Code No Code
      • MarTech
      • Mobile Application
      • Security
      • Software Testing
      • Wireless
  • Industries
      • E-Commerce
      • Education
      • Logistics
      • Retail
      • Supply Chain
      • Travel and Hospitality
  • Platforms
      • Microsoft
      • Salesforce
      • SAP
  • Solutions
      • Business Intelligence
      • Cognitive
      • Contact Center
      • CRM
      • Cyber Security
      • Data Center
      • Gamification
      • Procurement
      • Smart City
      • Workflow
  • Home
  • CXO Insights
  • CIO Views
  • Vendors
  • News
  • Conferences
  • Whitepapers
  • Newsletter
  • Awards
Apac
  • Artificial Intelligence

    Big Data

    Blockchain

    Cloud

    Digital Transformation

    Internet of Things

    Low Code No Code

    MarTech

    Mobile Application

    Security

    Software Testing

    Wireless

  • E-Commerce

    Education

    Logistics

    Retail

    Supply Chain

    Travel and Hospitality

  • Microsoft

    Salesforce

    SAP

  • Business Intelligence

    Cognitive

    Contact Center

    CRM

    Cyber Security

    Data Center

    Gamification

    Procurement

    Smart City

    Workflow

Menu
    • Legal
    • Cyber Security
    • Hotel Management
    • Workflow
    • E-Commerce
    • Business Intelligence
    • MORE
    #

    Apac CIOOutlook Weekly Brief

    ×

    Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Apac CIOOutlook

    Subscribe

    loading

    THANK YOU FOR SUBSCRIBING

    • Home
    Editor's Pick (1 - 4 of 8)
    left
    AI's Slow Growth in Law Firms

    David Furey, Chief Information Officer, Katten Muchin Rosenman LLP

    Enterprise Mobility Capabilities - Quick Wins!

    Michael Shea, CIO, Morgan, Lewis & Bockius LLP

    Our Calling and Time

    Vincent A. Marin, CIO, Sidley Austin LLP

    Unique Approach to Mitigate External Threats

    Curt Overpeck, CIO, Citizens Property Insurance

    Supporting Business with the Right Technology

    Andy Jurczyk, CIO, Seyfarth Shaw

    Innovation and Change, the challenge of getting it to stick

    Ross Forgione, CIO, Johnson Winter & Slattery

    Legal Knowledge Management and the Rise of Artificial Intelligence

    Christopher Zegers, CIO, Lowenstein Sandler LLP.

    AI Legal Counsel at Workplace?

    Lin Zhang, Head of Legal, China, CSL Behring

    right

    Emerging Tech Challenges in Legal: Data Insecurity as an Unfair Business Practice

    Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

    Tweet
    content-image

    Lisa LaForge, Director-Technology Transactions & Chairperson of the Open Source Steering Committee, Legal Department, SanDisk Corporation

    CIOs should be aware of a recent Third Circuit appellate decision which affirms the Federal Trade Commission’s (FTC) authority to prosecute enterprises which fail to adopt reasonable data security measures. While many states have laws about data breach on the books already, the prospect of increasing regulatory action on the part of the FTC significantly raises the legal stakes.

    On August 24, 2015, the Third Circuit’s appellate court upheld a 2014 district court decision which said that the FTC has the authority to hold companies responsible for failing to use reasonable security practices as an unfair business practice and, that failure to adopt reasonable security measures creates substantial injury to consumers which consumers cannot reasonably avoid themselves (FTC v. Wyndham Worldwide Corp.). The appellate decision is a major win for the FTC. In a press release following the appellate court decision, FTC Chairwoman Edith Ramirez said, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

    FTC alleges that Wyndham caused significant consumer harm writing in its complaint that: “Defendant’s [Wyndham] failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendant’s security failures led to fraudulent charges on consumer’s accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information.”

    Though the case against Wyndham has not been finally adjudicated, FTC has broad enforcement powers it can use against Wyndham should the FTC prevail. For example, in the In re Snapchat (2013) settlement, FTC entered into a consent order and proposed settlement agreement under which Snapchat is subject to twenty years of privacy audits, and prohibited from making false claims about its privacy policies. Because FTC publicly discloses the existence and nature of regulatory enforcement against specific enterprises, the prospect of credibility loss is perhaps the FTC’s strongest weapon. In addition, given the precedential nature of the Wyndham decision, generations of law students may come to

    associate Wyndham with the case which settled the question of whether or not the FTC has the authority to regulate data security practices.

    What is a “Reasonable Security Practice”?

    The Third Circuit appellate court also held that the FTC's recent enforcement actions give ample notice of what constitutes an inadequate security program and, by inference, some indication of adequacy. The Wyndham complaint reads as a laundry list of what not to do. Among other things, FTC alleges that Wyndham: (i) stored credit card information in clearly readable text, (ii) permitted the use of easily guessed passwords, (iii) failed to use reasonable measures to protect against attack, such as firewalls, (iv) failed to implement adequate policies and procedures (such as permitting the network to be accessed using an out-of-date operating system, (v) permitting individual hotel servers to connect to Wyndham’s network through default passwords and IDs which were easily discoverable by hackers, and (vi) insufficiently restricting third party access to the Wyndham network, etc.

    To demonstrate that they have reasonable security practices in place, enterprises must understand what software’s are used throughout the organization, how it is used and constantly monitor code for potential vulnerabilities. In addition, CIOs should consider working more closely with their internal procurement organizations to identify secure code during the sourcing process.

    Is Some Code More Secure than Others?

    A traditional argument in favor of the use of open source software has been that open source is more secure than proprietary code. In theory, more eyeballs on open source software should result in fewer bugs and less potential for the inclusion of security vulnerabilities but 2014 was an awakening for the open source community in terms of software security— think Heartbleed and Shellshock. Heartbleed remediation was a logistical nightmare for enterprises which lacked visibility into the open source used in their infrastructure.

    "The Federal Trade Commission (FTC) has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information"

    Today, the open source community is putting more emphasis on security in open source code and the ability to demonstrate that open source code is secure. But at an August 2015 Linux Foundation event (LinuxCon) in Seattle, Linus Torvalds, the driving force behind the Linux kernel and its chief architect struck a sobering note on the subject of cyber security. In his keynote, Torvalds said, “Security is bugs, completely stupid bugs that some clever person comes around and takes advantage of. We'll never get rid of bugs so security will never be perfect.” Torvalds continued “Open source is doing fairly well, but anyone who thinks we'll ever be completely secure is foolish."

    Lulling Consumers into a False Sense of Security

    It is a settled legal question that the FTC can prosecute enterprises which mislead or deceive consumers. Snapchat’s claim that user photos and videos that would self-destruct permanently after the recipient viewed them when in fact, Snapchat images were not actually deleted from users’ phones, is the deceptive practice which lead to a twenty year requirement of privacy reviews.

    Similarly, the FTC brought a claim for deceptiveness based on the Wyndham privacy policy because Wyndham’s policy claimed the company safeguards, “Our Customers information by using standard industry practices” and “We make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations”.

    As privacy policy review is a continuing theme in FTC enforcement actions and a ready source of deceptive claims, enterprises should avoid over-promising or misleading consumers regarding data security practices.

    It will be interesting to see what claims the FTC might bring against Ashley Madison in light of recent events.

    Three Takeaways:

    1) Work with your supply chain to source secure code.

    2) Track all code in your infrastructure both open and proprietary.

    3) Don’t over-promise in a privacy policy.

    See Also: Top Legal Technology Companies Top Legal Tech Consulting Companies
    tag

    Data Security

    Legal Technology

    Weekly Brief

    loading
    Top 10 Legal Tech Solution Companies - 2020
    ON THE DECK

    Legal 2020

    I agree We use cookies on this website to enhance your user experience. By clicking any link on this page you are giving your consent for us to set cookies. More info

    Copyright © 2025 APAC CIOOutlook. All rights reserved. Registration on or use of this site constitutes acceptance of our Terms of Use and Privacy and Anti Spam Policy 

    Home |  CXO Insights |   Whitepapers |   Subscribe |   Conferences |   Sitemaps |   About us |   Advertise with us |   Editorial Policy |   Feedback Policy |  

    follow on linkedinfollow on twitter follow on rss
    This content is copyright protected

    However, if you would like to share the information in this article, you may use the link below:

    https://legal.apacciooutlook.com/cxoinsights/emerging-tech-challenges-in-legal-data-insecurity-as-an-unfair-business-practice-nwid-1697.html