A case for MCMC to consider in the National Cybersecurity Policy.
In 2015, the Federal Trade Commission (FTC) of the United States took an action and sued Wyndham Hotels and Resorts charging that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.
In suing Wyndham, the government of the United States demonstrated their commitment to protect individual consumers from the harm caused by unreasonable data security.
Wyndham settled with the FTC and under the terms of the settlement, the company will :-
1. require to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard (PCI DSS) for certification of a company’s security program
2. The order requires Wyndham’s audit to:
certify the 'untrusted' status of franchisee networks, to prevent future hackers from using the same method used in the company prior breaches;
certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company; and
certify that the auditor is qualified, independent and free from conflicts of interest
3. The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.
4. If Wyndham successfully obtains the necessary compliance certifications, it will be deemed in compliance with the comprehensive information security program provision of the order. That provision is not effective, however, in the event that Wyndham in any way misleads or provides false information during the annual audit and assessment process.
5. Wyndham’s obligations under the settlement are in place for 20 years.
The above action by the Federal Agency in the United States is a food for thought for MCMC and our government in the drafting of the National Cybersecurity Policy. This is also in line with our thoughts set out in our article of 13 Feb 2019 titled - 'Any Recourse for Individuals subsequent to a Data Breach?'.