Court Affirms FTC Authority on Cybersecurity IssuesRuling Allows Suit Against Wyndham to Proceed
An appellate court has upheld the Federal Trade Commission's authority to play a key cybersecurity regulatory role as it relates to the protection of consumer data against breaches.
A Third Circuit U.S. Court of Appeals panel of judges ruled Aug. 24 that the FTC could proceed with its lawsuit against hotel chain Wyndham Worldwide Corp. The suit claims the company violated the FTC Act's unfair business practice provisions when it took inadequate security measures to protect consumer data. As a result, the FTC claims, Wyndham had data breaches that between 2008 and 2009 exposed more than 619,000 payment cards and other consumer information.
Legal experts says the court's decision essentially affirms the FTC's right to oversee and fine U.S. companies for cybersecurity missteps that result in the compromise of personal information and payment.
Based on the court's decision, "it is even clearer that the FTC is the leading agency in the U.S. for data breach matters," says cybersecurity attorney Chris Pierson, who serves as chief security officer of payments provider Viewpost. "Challenging the FTC's authority to regulate unfair/deceptive acts and practices is unlikely to be fruitful in court. The Wyndham case is a seminal case for the FTC for the proposition that the FTC has the power and ability to oversee cybersecurity breach issues as the nation's default regulator."
In a research note, threat-intelligence firm iSight Partners says the ruling reinforces the FTC's authority to punish organizations that fail to take adequate steps to ensure user security. "This creates additional financial risk for enterprises that elect not to make cybersecurity a priority, theoretically pushing organizations to enact effective security policies," according to the research note. "The FTC has provided some resources and guidelines for cybersecurity, and may seek to establish a structure or system for issuing fines in the future."
Other FTC Actions
In addition to its ongoing case against Wyndham, a final FTC ruling is pending in its longstanding breach-related cybersecurity case against medical testing company LabMD. And in July, the FTC charged ID theft protection firm LifeLock with deception, claiming the company violated a 2010 settlement with the commission and 35 state attorneys general by continuing to make deceptive claims about its ID theft protection services and failing to take steps to protect users' data.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the Wyndham ruling could hurt LabMD's case, because the court has now made it clear that the FTC does have the authority to regulate cybersecurity. LabMD has argued, in part, that the FTC does not have jurisdiction.
What the Wyndham case does not make clear, however, is whether the FTC can fine and sue breached businesses that are regulated by other agencies, Nahra adds. "The Wyndham case doesn't address that issue at all, and I can't even try to guess how a court would [rule] based on the Wyndham decision," he says.
Attorney Adam Greene, a partner at law firm Davis Wright and Tremaine in Washington, says the Wyndham ruling leaves many questions about how the FTC will regulate cybersecurity going forward. "The ruling means that entities will need to read the FTC tea leaves to best discern what is 'reasonable' security, as the court did not hold that the FTC has to set forth more specific standards," he says.
And Matt Franko, a senior management consultant at forensics and security assessment firm SecureState, contends that giving more government agencies authority to oversee corporate cybersecurity, as the Wyndham ruling does, won't be good for business.
"The government seems to be allowing all industries to govern themselves, until they prove they cannot get their own houses in order," Franko says. "Now they're stepping in, with the courts' help, and levying fines and lawsuits in attempt to rectify the situation."
The FTC's Case Against Wyndham
The appellate court panel upheld a lower court's April 2014 ruling to allow the FTC's suit against Wyndham to move forward.
In June 2012, the FTC sued Wyndham for lax security practices that allowed hackers to break into the hotel chain's network and steal payment cards and other personal information. The FTC claimed it has jurisdiction to regulate Wyndham as part of its authority to protect consumers from unfair and deceptive trade practices.
The FTC says Wyndham and its subsidiaries failed to implement standard security measures, such as complex user IDs and passwords, firewalls and network segmentation between hotels and the corporate network. Additionally, the FTC says improper software configurations used by the hotel chain and its subsidiaries resulted in the improper storage of sensitive card information in clear readable text. The storing of sensitive payment card information also violates the PCI Data Security Standard.
Last summer, rather than attempt to reach a settlement with the FTC, Wyndham challenged the FTC's authority to regulate corporate data security in its appeal, which was rejected this week.
Wyndham spokesman Michael Valentino tells Information Security Media Group that while the company is disappointed with the appellate court's ruling, the hotel chain still contends that the FTC lacks authority to pursue this kind of legal action against U.S. businesses, "and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security.
"It is important to note that today's opinion was decided solely upon our motion to dismiss the FTC's complaint, which requires the Third Circuit to take the FTC's allegations at face value," Valentino says. "Once the discovery process resumes, we believe the facts will show the FTC's allegations are unfounded. Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyber-attacks, on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively, rather than as adversaries."
A Call to Action
Jason du Preez, CEO of data protection firm Privitar, says the appellate court's decision should serve a warning that companies need to take data security more seriously.
"The legal and ethical implications need to be understood and respected," he says. "After all, a data breach can have really serious financial or personal consequences for individuals and destroy consumer trust and loyalty."
And SecureState's Franko contends that Wyndham should have had better protections in place to ensure consumer data could not be so easily breached.
"A company the size of Wyndham should have been making the proper investments at that time because information security was not new," he says. "What organizations need to do is make sure they know where their sensitive data resides within their network, segment it and apply the proper controls to secure it.