The Federal Trade Commission is proactively encouraging start-ups to take cybersecurity seriously and include consumer data safeguards early in the innovation process. At the FTC’s Start with Security conference in San Francisco on September 9, FTC Chairwoman Edith Ramirez called on innovators to instill a “culture of security” early in the product development lifecycle.
In her opening remarks at the conference, Ramirez urged innovators to create and implement products responsibly: “As you innovate, keep in mind that you are also stewards of consumer data, that the loss of that data could have disastrous consequences, and that, to avoid these consequences, you have a responsibility to start with security.” While recognizing that start-ups are important engines of growth in today’s economy, Ramirez called on small and medium-sized businesses to be partners in the FTC’s effort to implement security best practices. She referenced the FTC’s authority to bring law enforcement actions against companies of all sizes, and noted their prior actions against social networks, pharmacies, and mobile app developers. The FTC’s enforcement actions are intended to “ensure that companies make truthful representations about their privacy and security practices, and that they provide reasonable security for consumer data,” remarked Ramirez. As part of the conference, the FTC distributed to attendees Start with Security: A Guide for Business (June 2015), a guidebook for protecting personal information through security best practices.
The FTC’s conference comes on the heels of a recent decision by the United States Court of Appeals for the Third Circuit upholding the enforcement authority of the FTC to monitor and regulate cybersecurity. Federal Trade Comm’n v. Wyndham Worldwide Corporation (No. 14-3514, 2015 U.S. App. LEXIS 14839 (3d Cir. Aug. 24, 2015)) involved an enforcement action brought by the FTC pursuant to 15 U.S.C. § 45(a) of the Federal Trade Commission Act which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC alleged that hotel chain Wyndham Worldwide was responsible for three data breaches by hackers occurring between 2008 and 2010. Wyndham argued that the FTC overstepped its boundaries in pursuing enforcement actions against companies victimized by cybercrime. The Third Circuit disagreed with Wyndham and affirmed the district court’s denial of Wyndham’s motion to dismiss, which we discussed here.
In light of the recent Third Circuit opinion and Ramirez’s remarks at the recent conference aimed at educating small companies on the need to invest in security, there can be no question that cybersecurity is a FTC priority. Companies of all sizes, including innovation start-ups, must provide reasonable security for consumer data.