What's new

Even the most mundane online tasks require us to hand over sensitive data. Privacy policies pass by with an easy click. Yes, each company has its own legal language about the risks we take on, but the standards for consumer protection are murky.

"There is no one law in the United States that mandates that websites and phone applications have good data security," says law professor Woodrow Hartzog, who focuses on the area of privacy law and online communication.

So if there isn't one set of rules, who's working to keep your personal information safe?

Policing Security

The Federal Trade Commission has stepped in to fill the void and police data security, citing its authority to protect consumers. Since the early 2000s, the FTC has brought close to 50 cases against companies with allegedly lax data security practices that have put consumers at risk.

But this year, one of those companies fought back. Wyndham Worldwide Corp. is challenging the FTC's authority to bring complaints against companies in the first place.

The FTC alleges that the company's "unreasonable data security practices permitted hackers to access its network on three separate occasions over the course of two years," according to the commission's director of consumer protection, Jessica Rich.

Computer servers at the hotel chain were hacked. Hackers exported credit card information from hundreds of thousands of consumers to a Russian domain. This resulted in close to $11 million in fraudulent charges.

Rich claims there were simple steps that could have been taken to prevent the damage.

"Just some examples: Wyndham didn't require complex passwords for systems that managed consumers' payment card information; Wyndham stored credit card information in plain, readable text, making it much more available to hackers," she says.

In a statement, Wyndham said that Congress has not provided the FTC with "the authority to pursue such cases against American businesses."

But Rich says the charges do fall within the FTC's jurisdiction.

"We have authority to bring action against companies that engage in either deceptive or unfair practices," she says. " 'Deceptive practices' means that companies have made misstatements about the level of security they provide; or 'unfairness' basically means putting consumers at unreasonable risk of injury."

What Fits The Crime?

To protect the consumer, the FTC wants companies to take strong measures to prevent personal data from falling into the wrong hands.

"There have been so many breeches of data in recent years," Rich says. "Identity theft has really been on the rise. It's the highest-reported complaint that we get at the Federal Trade Commission — to promote better data security, including by bring action against companies who fail to do so."

All Tech Considered

A Movement To Bake Online Privacy Into Modern Life, 'By Design'