BreachExchange mailing list archives
FTC's authority over data regulation remains unclear
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 5 Mar 2015 19:10:46 -0700
http://www.fiercegovernmentit.com/story/ftcs-authority-over-data-regulation-remains-unclear/2015-03-05 It's still unclear whether the Federal Trade Commission overstepped its authority when it brought legal action against Wyndham Hotels and Resorts for negligent data security standards. An appellate court heard arguments in the case this week. FTC brought the action (pdf) in June 2012 after a series of three data breaches at the hotel chain in 2008 and 2009 compromised 619,000 customer accounts. But Wyndham's legal team says FTC has no authority to regulate data privacy. In April, a judge at the Federal District Court of New Jersey ruled in favor of the FTC, siding with the agency's argument that Section 5 of the FTC Act gives it such power. Section 5 "prohibits 'unfair or deceptive acts or practices in or affecting commerce'" and that "applies to all persons engaged in commerce, including banks." It goes on to say that Section 8 of the Federal Deposit Insurance Act, gives FTC the "authority to take appropriate action when unfair or deceptive acts or practices are discovered." During 90 minutes of oral arguments in front of a three-judge panel at the 3rd Circuit Court of Appeals on March 3, Wyndham stood by its argument that Congress did not give FTC power to regulate data privacy, according to an article in The Hill. "The commission has simply anointed itself a roving cybersecurity prosecutor – but, unlike other prosecutors, one that seeks to define the offense and to do so after the fact," Wyndham argued in a court brief, The Hill story states. Wyndham denies its cybersecurity was lacking. "As a matter of law and common sense, a business cannot be deemed to have engaged in an 'unfair' practice where, as here, that business itself was the victim of criminal conduct by others," the company told the court, reports the Wall Street Journal. But an amicus brief (pdf) that the Center for Democracy and Technology and the Electronic Frontier Foundation filed in November, when Wyndham filed its appeal (pdf), urges the court not to buy that argument. "The fact that hackers accessed the data does not abrogate Wyndham's responsibility for observing minimum data security practices to prevent harm from befalling its customers," it states. "Data security is a responsibility similar to many other business functions; there is nothing about data security that makes it fundamentally different from other obligations to provide a safe experience to the consumer." The Electronic Privacy Information Center also filed an amicus brief (pdf) in support of the FTC, saying it plays a critical role in protecting consumers' rights. "Consumers in the United States face unprecedented levels of identity theft and financial fraud. This is a direct result of the failure of companies to establish adequate security standards," the group wrote. "Removing the FTC's authority to regulate data security would be to bring dynamite to the dam." FTC has brought 50-plus legal actions against companies for alleged cybersecurity failings, according to The Hill.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- FTC's authority over data regulation remains unclear Audrey McNeil (Mar 11)