FTC's authority over data regulation remains unclear

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercegovernmentit.com/story/ftcs-authority-over-data-regulation-remains-unclear/2015-03-05

It's still unclear whether the Federal Trade Commission overstepped its
authority when it brought legal action against Wyndham Hotels and Resorts
for negligent data security standards. An appellate court heard arguments
in the case this week.

FTC brought the action (pdf) in June 2012 after a series of three data
breaches at the hotel chain in 2008 and 2009 compromised 619,000 customer
accounts. But Wyndham's legal team says FTC has no authority to regulate
data privacy.

In April, a judge at the Federal District Court of New Jersey ruled in
favor of the FTC, siding with the agency's argument that Section 5 of the
FTC Act gives it such power.

Section 5 "prohibits 'unfair or deceptive acts or practices in or affecting
commerce'" and that "applies to all persons engaged in commerce, including
banks." It goes on to say that Section 8 of the Federal Deposit Insurance
Act, gives FTC the "authority to take appropriate action when unfair or
deceptive acts or practices are discovered."

During 90 minutes of oral arguments in front of a three-judge panel at the
3rd Circuit Court of Appeals on March 3, Wyndham stood by its argument that
Congress did not give FTC power to regulate data privacy, according to an
article in The Hill.

"The commission has simply anointed itself a roving cybersecurity
prosecutor – but, unlike other prosecutors, one that seeks to define the
offense and to do so after the fact," Wyndham argued in a court brief, The
Hill story states.

Wyndham denies its cybersecurity was lacking. "As a matter of law and
common sense, a business cannot be deemed to have engaged in an 'unfair'
practice where, as here, that business itself was the victim of criminal
conduct by others," the company told the court, reports the Wall Street
Journal.

But an amicus brief (pdf) that the Center for Democracy and Technology and
the Electronic Frontier Foundation filed in November, when Wyndham filed
its appeal (pdf), urges the court not to buy that argument.

"The fact that hackers accessed the data does not abrogate Wyndham's
responsibility for observing minimum data security practices to prevent
harm from befalling its customers," it states. "Data security is a
responsibility similar to many other business functions; there is nothing
about data security that makes it fundamentally different from other
obligations to provide a safe experience to the consumer."

The Electronic Privacy Information Center also filed an amicus brief (pdf)
in support of the FTC, saying it plays a critical role in protecting
consumers' rights.

"Consumers in the United States face unprecedented levels of identity theft
and financial fraud. This is a direct result of the failure of companies to
establish adequate security standards," the group wrote. "Removing the
FTC's authority to regulate data security would be to bring dynamite to the
dam."

FTC has brought 50-plus legal actions against companies for alleged
cybersecurity failings, according to The Hill.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!