DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Does a presidential executive order on cybersecurity get a hotel chain off the FTC hook for its breaches?

Posted on March 14, 2013 by Dissent

I occasionally check the docket for FTC’s lawsuit against Wyndham over the multiple breaches they experienced. A story in my news reader today about how Ben Rothke of Wyndham Worldwide  gave a talk on “The five habits of highly secure organizations” struck me as somewhat ironic, and I decided to see where the lawsuit stood. Of note, Wyndham recently argued that the President’s Executive Order on Improving Cybersecurity for Critical Infrastructure and accompanying Presidential Policy Directive support their motion to dismiss the FTC’s complaint that they failed to live up to their privacy policy and that their inadequate data security resulted in harm to many consumers.

In their Notice, Wyndham Worldwide Corporation states, in large part:

As relevant here, the Executive Order requires the National Institute of Standards and Technology (“NIST”) to lead the creation of a baseline set of standards for reducing cyber risks to critical infrastructure — what the Executive Order calls the “Cybersecurity Framework.” Cybersecurity EO § 7(a). The Cybersecurity Framework will establish a “set of standards, methodologies, procedures, and processes” for addressing cybersecurity threats, id., and will include “guidance for measuring the performance of an entity in implementing” those standards, id. § 7(b). The Framework must also “provide a prioritized, flexible, repeatable, performance-based, and costeffective approach” that includes specific “information security measures and controls” critical-infrastructure operators can implement to “identify, assess, and manage cyber risk.” Id. § 7(b). In developing the Cybersecurity Framework, the Director of NIST must “engage in an open public review and comment process.” Id. § 7(d). Compliance with the Cybersecurity Framework is initially “voluntary,” id. § 8(a), however federal agencies are directed to develop “incentives” to promote compliance and to assess whether “the agency has clear authority to establish requirements based on the Cybersecurity Framework,” id. § 10(a).

The method of regulation laid out in the Cybersecurity Executive Order starkly contrasts with the approach the Federal Trade Commission has taken to regulating cybersecurity under Section 5 of the FTC Act. The FTC has not issued any “standards, methodologies, procedures, [or] processes” for complying with Section 5, id. § 7(a); it has not established “guidance for measuring the performance of an entity in implementing” data-security protections that might comply with the statute, id. § 7(b); it has not identified specific “information security measures and controls” that a business might adopt, id. § 7(b); and it has not “engage[d] in an open public review and comment process,” id. § 7(d). To the contrary, the FTC has refused to issue any rules, regulations, or guidelines explaining what data-security protections a company must employ to comply with the Commission’s understanding of Section 5. See WHR Mot. to Dismiss at 10-11. Instead, the FTC has claimed the right to enforce its view of datasecurity policy through selective enforcement actions founded entirely on ex post reasoning. See, e.g., Br. of Amici Curiae Chamber of Commerce, et al., at 7-12.

The bottom-line point is simple. In the context of regulating critical infrastructure, the Executive branch has determined that governing rules and standards must be developed far in advance of any potential regulatory enforcement efforts and through a full-fledged “public review and comment process.” Id. § 7(d). If that is true in the context of critical infrastructure, then surely it is all the more true when the FTC attempts to regulate businesses operating in other sectors of the economy. For these reasons, and for those stated in defendants’ motions to dismiss, the FTC’s complaint should be dismissed as a matter of law.

The FTC has not yet responded to this filing. In November 2012, however, it had cited a then-new opinion in FTC v. LabMD  from the Northern District of Georgia in which the court wrote, in part:

Although the Court finds there is significant merit to Respondents’ argument that Section 5 does not justify an investigation into data security practices and consumer privacy issues, it is a plausible argument to assert that poor data security and consumer privacy practices facilitate and contribute to predictable and substantial harm to consumers in violation of Section 5 because it is disturbingly commonplace for people to wrongfully exploit poor data security and consumer privacy practices to wrongfully acquire and exploit personal consumer information.

So will a presidential order on cybersecurity make a damned bit of difference in a lawsuit involving Section 5 of the FTC Act? I don’t think it should, but I guess we’ll have to wait and see.

Category: Breach IncidentsBusiness SectorCommentaries and AnalysesHack

Post navigation

← Bivens action claims IRS agents engaged in warrantless seizure of 60M medical records of 10M people during raid
Steakhouse Data-Theft Leader Gets As Much as 13 1/2 Years →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.