Court rules FTC can regulate cybersecurity practices

According to a press release from Ballard Spahr, a legal firm specializing in cybersecurity issues, a recent ruling from the U.S. Court of Appeals for the Third Circuit may change the way companies will have to deal with cybersecurity.

It all started with a complaint filed against Wyndham hotels who had been hacked three times in less than two years.

The Ballard Spahr release stated:

Following three data breaches at Wyndham hotels in less than two years, which resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards, the Federal Trade Commission (FTC) filed a complaint in which it alleged that Wyndham had engaged in unfair and deceptive acts or practices in violation of Section 5 of the FTC Act. The FTC claimed that defendant’s data-security practices were “unfair” because they failed to include certain security protections and its privacy policy was “deceptive” because it misrepresented the extent of the defendant’s security measures.

Wyndham countered by claiming that the FTC “lacked authority to regulate its cybersecurity policies and procedures under the FTC Act, and that it did not receive fair notice of the standards the FTC expected it to follow.”

But the Court disagreed stating that:

Congress would not have granted the FTC specific substantive authority regarding cybersecurity issues in the Fair Credit Reporting Act, Gramm-Leach-Bliley Act and Children’s Online Privacy Protection Act if the FTC already had regulatory authority over some cybersecurity issues.

The Court also ruled that previous statements made by the FTC regarding its authority under Section 5 were not inconsistent with its use of Section 5 to bring “unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm.”

Also, in a bit of legal contortionism the Court said that since Wyndham contended there was no FTC Section 5 interpretation that merited deference then it was left to the court to interpret what construed fair notice.

The Court’s interpretation was that:

fair notice was satisfied “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.” Section 5 provides that for the FTC to declare an act or practice “unfair,” it must find that “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

The Ballard Spahr release also pointed out that because of this ruling other government agencies might also start going after companies or institutions that fail to implement adequate cybersecurity measures.

Banks and other companies should also be aware of the realistic possibility that the Consumer Financial Protection Bureau may begin using its authority under Sections 1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (which proscribe unfair, deceptive or abusive acts or practices) to regulate cybersecurity policies and procedures of banks and other companies subject to its jurisdiction.

Since there are almost no laws governing cybersecurity in the private sector and, in fact, it is nearly impossible to hold a company responsible for data breaches even if they have little or no cybersecurity in place, you would think that sooner or later some government office or the courts would step forward to address this issue.

It might seem a little surprising that it was the FTC who would take the initiative, but, then again, they are supposed to be the ones protecting consumers from fraudulent or dangerous practices – and these days, not having adequate security measures in place is definitely a dangerous practice.