Newsroom

In the wake of the U.S. appeals court ruling confirming the Federal Trade Commission's authority to regulate cybersecurity, chief intelligence officers should document their companies' cybersecurity compliance, according to The Wall Street Journal.

The ruling in late August means, among other things, that the FTC may now pursue a lawsuit against hotel operator Wyndham Worldwide Corp for not protecting consumers' sensitive data.

The Journal noted: "A CIO should act defensively to mitigate the company's exposure to claims by the FTC and other government regulators. Admittedly, some procedures which a company may implement to reduce the risk of a claim by the FTC after a cyberattack may appear to be aimed at ‘optics.' However, documenting compliance with cybersecurity safety standards is potentially as important to the bottom line as the compliance itself."

Some of the "defensive steps" for CIOs listed by the Journal include: compliance with the National Institute of Standards and Technology voluntary cybersecurity framework; updating data and privacy policies; performance of an annual data security review by a competent third-party consultant; cooperation with risk management staff, and; obtaining cybersecurity insurance.

The FTC's legal case stemmed from three data breaches at the Wyndham hotel chain in 2008 and 2009, which resulted in more than $10.6 million in fraudulent charges. A court ruled in April 2014 that the FTC could pursue the case – this latest decision upheld that ruling.

In related news, in February, the Obama administration proposed allowing the FTC the authority to regulate companies' data collection practices.