• Data breach mitigation: Depending on the level of your cybersecurity coverage (or lack thereof), you could be paying out-of-pocket for forensic professionals to “stem the bleeding” and try to recover what you can. • Dealership downtime: Your dealership will suffer significant delays as you try to survey the extent of the breach and work through the mitigation efforts. • Data recovery: If it was a ransomware attack that resulted in the loss of employee, customer, and dealership information, the road back to where you started will be a long one. Think of all the information that existed prior to the attack that you will now need to rebuild from scratch. • Consumer protection efforts: Depending on the extent of the breach, you may be legally responsible for the cost of providing identity theft protection measures to all of the consumers who suffered a release of their information. • State and federal penalties: Suffering a breach does not earn you any pity from the government. State and federal enforcement officials will “pour salt in the wound” in the form of heavy fines and penalties. • Class action lawsuits: Dealers may also face a class action lawsuit by harmed individuals who had their information either stolen or released. FTC Using Its Broad Authority Under Section 5 for Cybersecurity Concerns Section 5 of the FTC Act prohibits “unfair or deceptive business practices in or affecting commerce.” Given that this clause has been around since 1914, it is safe to say that the authors did not consider cybersecurity during the time that it was drafted. Nevertheless, the FTC has wielded this section as a sword to strike down businesses that have displayed poor cybersecurity practices. Defining false data security or privacy representations under both “unfair” and “deceptive” terms since 2002, the FTC has negotiated consent agreements with most businesses since many don’t want to test its authority over regulating cybersecurity. It was not until 2012, when a private company that had been the victim of a cyber attack THREE TIMES, moved to dismiss the FTC’s lawsuit, stating that it had no authority, rather than enter into a settlement. Going all the way up to the Third Circuit, the court affirmed that the FTC DOES have the authority to regulate cybersecurity. Since then, there have been no direct challenges to the FTC’s authority over a business’s cybersecurity practices under this broad Section 5, and the FTC continues to use it repeatedly and effectively: • Consent order with an education technology provider for alleged poor data security practices that exposed sensitive information about millions of customers and employees. Specifically, it did not require employees to use MFA, stored information insecurely, and failed to provide adequate security training to employees. – January 2023 30 new jersey auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==