Guest post by Emilio Cividanes, Kelly DeMarchis and Rob Hartwell, Venable LLP
The Federal Trade Commission (FTC or Commission) has a broad mandate to pursue “unfair or deceptive acts or practices in or affecting commerce.” One substantive area which the FTC has asserted falls under this authority is general data security, and the FTC has brought enforcement actions in this area against companies in many industries including hospitality, internet hardware, social media, and mobile apps when a compromise of personal information occurred.
Surprisingly, the Commission has brought only one enforcement action against a payment processor regarding an alleged failure in its general data security, and that was nearly a decade ago. The FTC has long looked at payment processors as integral players in unfair or deceptive conduct, bringing actions against processors which allegedly facilitated fraudulent telemarketing transactions or profited from internet fraud perpetrated by others.
Renewed Focus on Data Security
The recent rash of highly publicized data breaches has brought renewed focus on data security across all industries—including payment processing. At present, federal data breach notification bills are pending in the House and Senate, along with a separate legislative proposal put forth by the Obama Administration. Several other bills are expected to be introduced during this Congress, some of which would give the FTC an array of new regulatory and enforcement tools in the data security realm.
So, what might the FTC look for in a data security investigation of a payment processor? The FTC looks to a standard of “reasonableness” when they examine data security, but have not yet defined what “reasonable” means generally. A natural starting point for an investigation might be whether the processor followed standards reasonable for the industry. In payments, compliance with the prevailing industry standard, i.e., the Payment Card Industry Data Security Standard (PCI DSS), can be an indicator of reasonable data security. Nevertheless, PCI DSS alone may not satisfy an inquiry by the FTC into data security standards. The FTC will probably dig deeper into what safeguards a processor has in place, what areas for improvement were highlighted by independent audits or assessments in years past, and what programs and plans for remediation a processor instituted in response to these third party opinions.
Making sure that the safeguards a processor has in place are appropriate for the size of the business and the type of data it holds could also be key. Processors obviously hold consumer financial information, but they also store employee information, merchant applications (which may contain social security and tax identification numbers for small merchants), and business information that is potentially sensitive, such as company sales data. Are each of these different type(s) of data protected by appropriate safeguards? Were safeguards differentiated and tailored to provide heightened protection to more sensitive data types and to limit the impacts of a data security incident? Were the right levels of encryption used to protect transmissions when required?
A third area of investigation would be a processor’s reaction time to any incident. Although data systems are hit with routine cyber attacks as a matter of course, hindsight, unfortunately, is always 20/20. The FTC may second guess the reasons why a processor did not immediately identify a cyber attack that led to the compromise of personal data, and the FTC may question any delay in remediation efforts or in the time it took to notify the processor’s own customers.
How to be Prepared
When implementing internal policies, processors should keep these considerations in mind. Independent assessors, who are engaged in the regular course of business, should verify the processor stays up-to-date in relation to the industry as a whole. After an assessment, internal plans should address major gaps identified by independent assessors in a sequence that tackles major risks first and tells an overall good story about the priorities of the organization towards personal data. Processors may want to consider hiring outside counsel, especially counsel experienced in data security, and in conjunction with a technology consult, to conduct an independent outside assessment.
An oft-repeated phrase in the security industry holds that there are only two types of companies, those that have been hacked, and those that do not yet know they have been hacked. While fully preventing cyber attacks may not be possible, reducing the potential regulatory scrutiny after-the-fact may be achievable with some advance planning.
Emilio (Milo) Cividanes is a Partner at Venable LLP. He concentrates his practice on helping companies meet their privacy obligations in a competitive and global marketplace, and shaping the data protection laws and regulations that govern their activities.
Kelly DeMarchis is Counsel at Venable LLP. Her practice concentrates on U.S. and global personal data privacy and security issues across a variety of industry sectors.
Rob Hartwell is an Associate in Venable’s Regulatory Practice Group, where he focuses his practice on privacy, data security, and consumer finance.