Court rules FTC can regulate cybersecurity practices

According to a press release from Ballard Spahr, a legal firm specializing in cybersecurity issues, a recent ruling from the U.S. Court of Appeals for the Third Circuit may change the way companies will have to deal with cybersecurity.

It all started with a complaint filed against Wyndham hotels who had been hacked three times in less than two years.

The Ballard Spahr release stated:

Following three data breaches at Wyndham hotels in less than two years, which resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards, the Federal Trade Commission (FTC) filed a complaint in which it alleged that Wyndham had engaged in unfair and deceptive acts or practices in violation of Section 5 of the FTC Act. The FTC claimed that defendant’s data-security practices were “unfair” because they failed to include certain security protections and its privacy policy was “deceptive” because it misrepresented the extent of the defendant’s security measures.

Wyndham countered by claiming that the FTC “lacked authority to regulate its cybersecurity policies and procedures under the FTC Act, and that it did not receive fair notice of the standards the FTC expected it to follow.”

But the Court disagreed stating that:

Congress would not have granted the FTC specific substantive authority regarding cybersecurity issues in the Fair Credit Reporting Act, Gramm-Leach-Bliley Act and Children’s Online Privacy Protection Act if the FTC already had regulatory authority over some cybersecurity issues.

The Court also ruled that previous statements made by the FTC regarding its authority under Section 5 were not inconsistent with its use of Section 5 to bring “unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm.”

Also, in a bit of legal contortionism the Court said that since Wyndham contended there was no FTC Section 5 interpretation that merited deference then it was left to the court to interpret what construed fair notice.

The Court’s interpretation was that:

fair notice was satisfied “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Section 5 provides that for the FTC to declare an act or practice “unfair,” it must find that “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The Ballard Spahr release also pointed out that because of this ruling other government agencies might also start going after companies or institutions that fail to implement adequate cybersecurity measures.

Banks and other companies should also be aware of the realistic possibility that the Consumer Financial Protection Bureau may begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures of banks and other companies subject to its jurisdiction.

Since there are almost no laws governing cybersecurity in the private sector and, in fact, it is nearly impossible to hold a company responsible for data breaches even if they have little or no cybersecurity in place, you would think that sooner or later some government office or the courts would step forward to address this issue.

It might seem a little surprising that it was the FTC who would take the initiative, but, then again, they are supposed to be the ones protecting consumers from fraudulent or dangerous practices – and these days, not having adequate security measures in place is definitely a dangerous practice.

Guy Wright

Guy Wright has been covering the technology space since the days when computers had cranks and networks were steam powered. He has been a writer and editor for more years then he cares to admit.


The top antivirus programs for your iPhone

With the launch of new age smartphones, security risks have literally increased tenfold. Hackers and malware developers are doing their best to crack into your phone and mess it up or steal all the data. And with the new technologies being used in modern smartphones, this has become extremely easy. So today we will take a look at some of the top antivirus software you can use on your iPhone for better security. Read on to find out more. McAfee Mobile Security McAfee is considered as the perfect security tool for your iPhone if you want to keep nosy family members and friends away from the...

IoT, its future and its impact on our lives

A radical change in our lives brought about by the Internet of Things – An overview

How to get your business through stormy weather

Having your own business is very rewarding in many ways, but it comes with a price. When you run your own business, no matter how big or small, you are responsible for yourself and the people that you employ, there is no monthly paycheck unless you provide for it. That is why having a solid financial base is crucial to keep your business alive if or when the going gets rough. There are lots of reasons your income or turnover could slack, not the right season, the economy is slow, there is a new and better product on the market or even new competition. In most cases, if you play your cards...