Court Bolsters FTC's Authority to Regulate Cybersecurity

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.technewsworld.com/story/82496.html

Companies that experience data security breaches have a lot to worry about
-- but their problems encompass much more than responding to irate
consumers.

The business community also has to worry about the U.S. government, which
can penalize e-commerce companies for failing to provide adequate
protection for consumers' personal data.

A recent federal court ruling could provide the federal government with
more muscle for cracking down on companies whose faulty information
technology practices result in the theft or exposure of personal data.

The ruling, issued in late August, stemmed from litigation involving the
U.S. Federal Trade Commission and Wyndham Worldwide, an operator of hotels
and resorts.

The FTC had filed a complaint in U.S. district court, charging Wyndham with
engaging in unfair business practices for having failed to provide adequate
protection for electronically processed consumer data. The court denied
Wyndham's petition for a dismissal of the case.

Wyndham then asked the U.S. Court of Appeals (Third Circuit) to override
the denial and grant a dismissal of the FTC's charges. The appeals court
ruled in favor of the FTC in a decision that appears to have reinforced the
commission's authority to regulate cybersecurity.

Focus on Unfairness Rule

Wyndham's data security failures led to three breaches at
company-affiliated facilities in less than two years, the FTC alleged,
resulting in millions of dollars of fraudulent charges on consumers' credit
and debit cards, as well as the transfer of hundreds of thousands of
consumer account records to a website registered in Russia.

The company's security failure amounted to an unfair business practice, the
commission claimed, based on its determination that a business practice is
unfair if it causes or is likely to cause substantial injury to consumers,
cannot be reasonably avoided by consumers, and is not outweighed by
offsetting benefits to consumers or to competition.

Those standards alone were not sufficient to support the FTC's charges,
Wyndham contended, arguing that the company's actions could not be judged
illegal under the "plain meaning" of unfairness: that a practice is unfair
only if it is "not equitable."

The appeals court rejected that argument, noting that "a company does not
act equitably when it publishes a privacy policy to attract customers who
are concerned about data privacy, fails to make good on that promise by
investing inadequate resources in cyber security, exposes its unsuspecting
customers to substantial financial injury, and retains the profits of their
business."

The Federal Trade Commission Act does not cover cybersecurity activities
specifically, Wyndham also contended.

The court rejected that argument, noting that the law's intention is to
give the FTC the ability to cover a broad range of business practices.

The FTC failed to provide Wyndham with fair notice of its cybersecurity
jurisdiction, the company maintained.

However, the court ruled that the FTC's vigorous cybersecurity activities
were public knowledge, and that companies engaged in e-commerce should
anticipate the regulatory consequences of security failures.

Not Over Until It's Over

Despite the appeals court ruling, all is not yet lost for Wyndham. The
appeals court decision addressed the company's petition for dismissal of
the case -- not the underlying FTC enforcement action. Since the dismissal
request has been denied, FTC v. Wyndham now can proceed in the district
court.

"While we are disappointed by the opinion, we continue to contend the FTC
lacks the authority to pursue this type of case against American
businesses, and has failed to publish any regulations that would give such
businesses fair notice of any proposed standards for data security," said
Michael Valentino, vice president of marketing and communications at
Wyndham.

"It is important to note that [the appeals court] opinion was decided
solely upon our motion to dismiss the FTC's complaint, which requires the
Third Circuit to take the FTC's allegations at face value," he told the
E-Commerce Times.

"Once the discovery process resumes, we believe the facts will show the
FTC's allegations are unfounded. Safeguarding personal information remains
a top priority for our company, and with the dramatic increase in the
number and severity of cyberattacks on both public and private
institutions, we believe consumers will be best served by the government
and businesses working together collaboratively rather than as
adversaries," Valentino said.

The FTC welcomed the appeals court ruling. The decision "reaffirms the
FTC's authority to hold companies accountable for failing to safeguard
consumer data," said FTC Chairwoman Edith Ramirez. "It is not only
appropriate, but critical, that the FTC has the ability to take action on
behalf of consumers when companies fail to take reasonable steps to secure
sensitive consumer information."

FTC's Position Gains

"I think this is a strong, though not unexpected, victory for the FTC,"
said Gautam Hans, policy counsel at the Center for Democracy & Technology.

The commission's ability to regulate data security under the 'unfairness'
prong has been crucial in its data security cases, and it is important that
the agency continue to do so, especially given the widespread scale of data
breaches," he told the E-Commerce Times.

"The FTC will likely view the Third Circuit's decision as a vindication of
its privacy and data security enforcement and policy activities to date.
The Third Circuit's decision comes at a time when the FTC's role as the
nation's privacy regulator has never been stronger," said Chris Cole, a
partner at Crowell and Moring.

"The decision cements the FTC's authority to bring lawsuits over a whether
a business's cybersecurity practices are unfair or deceptive," Scott
Talbott, SVP of government affairs at the Electronic Transactions
Association, told the E-Commerce Times.

The appeals court decision likely will business opposition to the FTC's
authority to regulate cybersecurity practices. Thus, the burden will fall
on businesses to prove they were not responsible for any data breach -- a
difficult task.

Security an E-Commerce Priority

"It will always be hard for companies to defend themselves when they fail
to take reasonable precautions to protect sensitive financial information.
If these companies can't protect this data, they should not collect this
data," said Alan Butler, senior counsel at the Electronic Privacy
Information Center.

"This is a significant victory for the FTC and for American consumers. Data
breaches are occurring with increasing frequency, and it is critical that
the FTC use its enforcement authority to ensure that companies are meeting
their data protection obligations," he told the E-Commerce Times.

"Companies cannot simply collect and retain sensitive personal information
about their customers without taking the steps necessary to ensure that the
data is not improperly accessed or disclosed. Data collection triggers
privacy obligations, and the FTC clearly has the authority to enforce those
obligations," Butler said.

"Congress is watching this case closely," said ETA's Talbott. "Currently,
Congress has before it a number of bills that would establish a national
standard for protection of customers' data. In the absence of legislation,
cases like this one are establishing these standards."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!