Court ruling leads to fears of FTC litigation on cybersecurity

Court ruling leads to fears of FTC litigation on cybersecurity
© Thinkstock

Industry groups are worried that an appeals court ruling giving the Federal Trade Commission permission to sue for shoddy cybersecurity will result in overregulation.

Earlier this week, the 3rd Circuit U.S. Court of Appeals ruled unanimously that the FTC can go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.

The hotel company suffered three significant breaches between 2008 and 2010, resulting in the theft of credit card information for more than 600,000 patrons.

Some are concerned that Monday’s ruling will open the floodgates to more punitive action by the agency.

“We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” Steven Lehotsky, vice president and chief counsel for regulatory litigation at the U.S. Chamber Litigation Center, told The Christian Science Monitor.  

The FTC has brought more than 50 lawsuits against companies over lax cybersecurity, most of which have resulted in settlements.

Its cases rely on the assumption that poor cybersecurity can be considered an unfair or deceptive trade practice, outlawed by the 1914 Federal Trade Commission Act.

Experts say that many companies already consider the FTC to be the cop on the beat and work to ensure their cybersecurity practices don’t draw enforcement attention.

The decision simply “confirms what everyone operating in the field already knew or took for granted,” said Scott Vernick, partner and head of the data security and privacy practice at Fox Rothschild.

Critics of the FTC’s claim to cybersecurity authority say that the agency has failed to lay out clear regulations for companies to follow. They say it relies instead on a vague requirement that companies provide “reasonable” protection to their customers.

The business community says the companies are also victims and has condemned the agency for inappropriately punishing them.

“Excessive enforcement by agencies relying on decades-old laws that were not meant to address cybersecurity is not the solution to [a] national security problem,” Lehotsky said.

But fears that the FTC will take Monday’s ruling as license to crack down on companies are overstated, others say.

“From a practical standpoint, I don’t see the FTC deciding that the Third Circuit has now given it a blank check to go out after every company that has a breach,” said Kristine Devine, a communications attorney with Harris, Wiltshire & Grannis.

She characterized the FTC’s cybersecurity actions to date as “judicious,” noting that it has largely limited itself to cases like Wyndham's, where the allegations, if true, represent a clear case of deceptive trade practices.

The agency’s case against the hotel chain hinges on its privacy policy, which says that it takes “commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards,” including encryption.

The regulatory agency claims that, contrary to its policy, Wyndham neither encrypted data nor used firewalls, a violation that would be fairly cut-and-dry, experts say.

Devine also points out that the 3rd Circuit’s decision would only be valid in that jurisdiction.

“I think the 3rd Circuit’s reasoning is pretty sound. I don’t necessarily think another court would strongly disagree,” Devine said. “[The ruling] is not precedential, but it’s persuasive.”