No matter how much a company spends in money and resources for cyber security, there is always the risk that the system will be hacked.  Now, a decision by the Third U.S. Circuit Court of Appeals has confirmed that in the event of such an Information Technology System hack, the U.S. Federal Trade Commission has authority to investigate the company and charge it with unfair trade practices for failure to protect customers from the theft of on-line data.

The FTC has been routinely filing and settling such claims for years. Among potential claims by the FTC are claims that the firewalls were insufficient, the cybersecurity software was antiquated, and that proper data security procedures were not implemented or followed. If the FTC files a claim, in addition to reputational damage, a company can be subject to expensive fines and there is a heightened risk that the FTC claim will encourage class action lawsuits.

In view of these potential risk factors, a CIO should act defensively to mitigate the company’s exposure to claims by the FTC and other government regulators. Admittedly, some procedures which a company may implement to reduce the risk of a claim by the FTC after a cyberattack may appear to be aimed at “optics.” However, documenting compliance with cybersecurity safety standards is potentially as important to the bottom line as the compliance itself. In addition to actually having in place the most up-to-date practical anti-hacking software, a company needs to be able to demonstrate the way in which it has protected private customer information in order to dissuade the FTC from taking action, and to protect its officers and directors from class action lawsuits following an FTC complaint.  Some defensive steps to be considered are:

Read more at Cybersecurity, FTC and CIOs