Login | April 27, 2024
FTC can regulate companies with inadequate cybersecurity
RICHARD WEINER
Technology for Lawyers
Published: September 25, 2015
The 3rd U.S. Circuit Court of Appeals has ruled against the company that owns the Wyndham Hotels chain in holding that the Federal Trade Commission can regulate companies that have a pattern of cybersecurity breaches by writing that those breaches constitute unfair trade practices.
This ruling is a warning to every company or firm that ignores the fundamental principles of cybersecurity—you will be responsible for a lack of data security.
The case is Federal Trade Commission v Wyndham Worldwide Corp et al, 3rd U.S. Circuit Court of Appeals, No. 14-3514.
The FTC had brought suit to hold Wyndham accountable for the breach, the lower court held that the agency had that authority, and the Philadelphia-based appellate court confirmed that authority, allowing the trial to go forward.
Wyndham brands also include Howard Johnson, Ramada, Travelodge, Days Inn, and Super 8.
The case arose from three data breaches suffered by the hotel chain being hacked in 2008 and 2009. Those breaches compromised over 600,000 customer credit cards, costing them over $10 million in fraudulent charges.
The ruling continues a pattern of governmental involvement in cybersecurity (written about many times in this column). Nobody, from the IRS to Josh Dugger, is safe from cyber hacking, whether or not that hacking involves criminal intent beyond the hack itself.
Nevertheless, there are no national law specifically governing civil responsibility for cybersecurity breaches, leaving that kind of regulation to agencies using centuries-old laws which were never designed to apply to the current technological environment.
This archaic (under the circumstances) consumer protection law, the only one available to the agency, and therefore the court, then led to the sorta bizarre language in the appellate holding that Wyndham had failed to prove that its alleged conduct “ falls outside the plain meaning of ‘unfair’.”
For its part, Wyndham had argued that the FTC was overreaching, and that the agency lacked fair notice that the data breaches violated consumer protection statutes.
Well, that argument didn’t work, and now the FTC can hold companies responsible for data breaches. This is a really big decision, folks.
Can a law firm be far behind from this kind of hit? I bet it happens this decade.