Due to the increasing number of cyber-attacks and data breaches in recent years, regulators have increased punishable offenses for companies that fail to sufficiently protect their customer’s Personally Identifiable Information (PII). While these enforcement actions have certainly resulted in criticism from companies that complain it’s unfair to both be the victim of a breach and then get punished for it, agencies like the Federal Trade Commission (FTC) and Securities Exchange Commission (SEC) say they do not intend to blame the victim, but instead seek to penalize organizations that avoid doing the “bare minimum” to secure their networks. The real victim in these instances is not the company that was breached, it’s the consumers whose PII was compromised.
Mark Eichorn, assistant director at the FTC’s Bureau of Consumer Protection, gave several examples of what attracts regulators’ attention. At a cybersecurity panel last Friday, Eichorn pointed out a recent case against computer hardware maker ASUSTek Computer, which believed “admin” was an appropriate username and password for every one of their routers. Due to this security flaw, hackers were able to gain access to ASUS routers in their own consumers’ homes, according to the FTC. Another incident occurred last year when R.T. Jones Capital Equities Management Inc., was fined $75,000 in charges after it “failed to establish the proper cybersecurity protocols.” The improper protocols in the 2013 data breach resulted in 100,000 individuals’ compromised PII, simply because R.T. Jones failed to follow some basic cybersecurity measures such as installing a firewall and encrypting the sensitive information stored on its server. While many IT experts claim there is no way to be completely secure from an outside attack, it is important to maintain the trust of the consumer and strive to have the best cybersecurity practices possible.