Content

Debate: The FTC should have the right to penalize companies for poor data security/privacy practices.

,

This month's featured debate informs whether the FTC should have the right to penalize companies for poor data security/privacy practices.

FOR

Craig Spiezle, executive director & president, Online Trust Alliance


While there is no silver bullet to guarantee data protection, companies must take reasonable steps to secure consumer data. Last year, the number of breaches increased 34 percent, yet more than 90 percent of these were avoidable. Although these businesses have to deal with remediation expenses, compliance with state statutes and the impact on trust of their brand, it is just as important that businesses be held accountable to the impact on their customers.

 Under section five of the Consumer Protection Act, businesses have the obligation to safeguard consumer data. The Federal Trade Commission (FTC) has increasingly exercised settlements with some of the worst offenders, yet does not have the power to fine a company directly. Many industry observers have suggested that the FTC be directly empowered to levy fines to increase accountability. As a data-driven economy, business leaders need to increase the stewardship of the data they collect. Those that fail to take reasonable steps need to be held accountable.

CON

Brian Gay, owner, Think Forward Consulting

The FTC should not have the right to penalize companies for poor data security and privacy practices. If the FTC attempts to penalize companies for poor security, there will be several issues. The first is around poor practices. How will the FTC measure poor data security and privacy practices? Will the FTC compare programs by industry? Without clear guidelines the penalties will not be enforceable.  

The next concern is that increasing cyber security oversight will create a decrease in transparency. Currently, companies are very reluctant to admit security hacks and data losses. If the FTC were allowed to penalize companies, there would no incentive to publicly admit data security issues and share best practices. This will negatively impact data and privacy as a whole.   

It would be better for the FTC to provide positive incentive. How about if the FTC were to reward companies for high-performing cyber security practices instead?

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.