What does settlement really mean?
What do recent settlements with the FTC, FCC and SEC really mean for cyber hygiene?
Companies are facing a predicament when charged with federal regulatory violations over alleged failures to establish cybersecurity policies and/or protect personally identifiable information (PII).
When negotiations are underway, often two scenarios unfold: A not-so-transparent game of “cry uncle,” in which government investigators strong-arm companies into settling data breach cases rather than rack up already mounting legal fees and further brand damage or company value. Or, agency adjudication precedes a defendant strategy of seeking vindication in the federal court system because any kind of agency settlement will still leave some doubt that some wrongdoing had occurred and harm a company's future business dealings.
Nonetheless, there's no doubt the Federal Trade Commission (FTC), the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC) will attempt to build on these 2015 publicly announced settlements:
- LifeLock's agreement to pay $100 million to consumers to settle FTC charges it violated a 2010 order
- AT&T agreeing to pay an FFC fine of $25 million fine over data breaches at three call centers
- Cox Communications agreeing to pay an FCC fine of $595,000 for failing to protect private customer information
- Investment adviser R.T. Jones agreeing to an $75,000 SEC penalty for failing to establish the required cybersecurity policies and procedures in advance of a breach that compromised the PII of approximately 100,000 individuals, including thousands of the firm's clients
Sometimes money isn't everything, as evidenced by the injunctive settlement reached last month between the FTC and Wyndham Worldwide, which agreed to 20 years of annual security audits, and ensure compliance with a formal risk assessment process.
The FTC did not return our enquiry for comment, but an FCC spokesperson stated in an email: “Settlements make abundantly clear the Commission's expectation that companies live up to their privacy obligations.” Such actions provide guidance to telecom and cable companies to take proactive steps to protect customers' PII and CPNI (customer proprietary network information) about consumers' telephone calls. The FCC spokesperson added that the FCC and FTC have a longstanding collaborative relationship on areas of overlapping jurisdiction, such as data security.