DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Does a presidential executive order on cybersecurity get a hotel chain off the FTC hook for its breaches?

Posted on March 14, 2013 by Dissent

I occasionally check the docket for FTC’s lawsuit against Wyndham over the multiple breaches they experienced. A story in my news reader today about how Ben Rothke of Wyndham Worldwide  gave a talk on “The five habits of highly secure organizations” struck me as somewhat ironic, and I decided to see where the lawsuit stood. Of note, Wyndham recently argued that the President’s Executive Order on Improving Cybersecurity for Critical Infrastructure and accompanying Presidential Policy Directive support their motion to dismiss the FTC’s complaint that they failed to live up to their privacy policy and that their inadequate data security resulted in harm to many consumers.

In their Notice, Wyndham Worldwide Corporation states, in large part:

As relevant here, the Executive Order requires the National Institute of Standards and Technology (“NIST”) to lead the creation of a baseline set of standards for reducing cyber risks to critical infrastructure — what the Executive Order calls the “Cybersecurity Framework.” Cybersecurity EO § 7(a). The Cybersecurity Framework will establish a “set of standards, methodologies, procedures, and processes” for addressing cybersecurity threats, id., and will include “guidance for measuring the performance of an entity in implementing” those standards, id. § 7(b). The Framework must also “provide a prioritized, flexible, repeatable, performance-based, and costeffective approach” that includes specific “information security measures and controls” critical-infrastructure operators can implement to “identify, assess, and manage cyber risk.” Id. § 7(b). In developing the Cybersecurity Framework, the Director of NIST must “engage in an open public review and comment process.” Id. § 7(d). Compliance with the Cybersecurity Framework is initially “voluntary,” id. § 8(a), however federal agencies are directed to develop “incentives” to promote compliance and to assess whether “the agency has clear authority to establish requirements based on the Cybersecurity Framework,” id. § 10(a).

The method of regulation laid out in the Cybersecurity Executive Order starkly contrasts with the approach the Federal Trade Commission has taken to regulating cybersecurity under Section 5 of the FTC Act. The FTC has not issued any “standards, methodologies, procedures, [or] processes” for complying with Section 5, id. § 7(a); it has not established “guidance for measuring the performance of an entity in implementing” data-security protections that might comply with the statute, id. § 7(b); it has not identified specific “information security measures and controls” that a business might adopt, id. § 7(b); and it has not “engage[d] in an open public review and comment process,” id. § 7(d). To the contrary, the FTC has refused to issue any rules, regulations, or guidelines explaining what data-security protections a company must employ to comply with the Commission’s understanding of Section 5. See WHR Mot. to Dismiss at 10-11. Instead, the FTC has claimed the right to enforce its view of datasecurity policy through selective enforcement actions founded entirely on ex post reasoning. See, e.g., Br. of Amici Curiae Chamber of Commerce, et al., at 7-12.

The bottom-line point is simple. In the context of regulating critical infrastructure, the Executive branch has determined that governing rules and standards must be developed far in advance of any potential regulatory enforcement efforts and through a full-fledged “public review and comment process.” Id. § 7(d). If that is true in the context of critical infrastructure, then surely it is all the more true when the FTC attempts to regulate businesses operating in other sectors of the economy. For these reasons, and for those stated in defendants’ motions to dismiss, the FTC’s complaint should be dismissed as a matter of law.

The FTC has not yet responded to this filing. In November 2012, however, it had cited a then-new opinion in FTC v. LabMD  from the Northern District of Georgia in which the court wrote, in part:

Although the Court finds there is significant merit to Respondents’ argument that Section 5 does not justify an investigation into data security practices and consumer privacy issues, it is a plausible argument to assert that poor data security and consumer privacy practices facilitate and contribute to predictable and substantial harm to consumers in violation of Section 5 because it is disturbingly commonplace for people to wrongfully exploit poor data security and consumer privacy practices to wrongfully acquire and exploit personal consumer information.

So will a presidential order on cybersecurity make a damned bit of difference in a lawsuit involving Section 5 of the FTC Act? I don’t think it should, but I guess we’ll have to wait and see.

Related posts:

  • FTC Files Complaint Against Wyndham Hotels For Failure to Protect Consumers’ Personal Information
  • Wyndham caves, settles charges with FTC (updated)
  • Transcript of Oral Argument in FTC v. Wyndham
  • White House issues executive order in wake of WikiLeaks reports
Category: Breach IncidentsBusiness SectorCommentaries and AnalysesHack

Post navigation

← Bivens action claims IRS agents engaged in warrantless seizure of 60M medical records of 10M people during raid
Steakhouse Data-Theft Leader Gets As Much as 13 1/2 Years →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.