Brent Kendall reports:
The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.
We wrote about Wyndham’s challenge earlier this month in a case involving attacks by hackers on the hotel chain’s computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.
Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it.
“The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it,” the agency said in a court filing this week.
In a battle of analogies, Wyndham argued the FTC suit was “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”
The FTC’s new filing offered a different picture. “A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”
Read more on WSJ. This is a case I’ve been following since the hacks were first disclosed, and represents the first time a data breach complaint by the FTC will be adjudicated by a court instead of reaching a settlement. The Chamber of Commerce and others, including TechFreedom, have jumped in on Wyndham’s side. Their argument emphasizes the point that the FTC has never promulgated clear rules that would provide fair notice to businesses as to what actions constitute “unfair or deceptive” practices under the FTC Act. Of course, in many cases, the FTC draws upon other statutes, e.g., if it would be violative of the GLBA or other statutes to do something, that makes it an unfair or deceptive practice for purposes of the FTC. Similarly, the FTC often looks to “industry standards” in determining whether an entity failed to provide adequate security. It also looks to statements made in an entity’s privacy policy or Terms & Conditions to determine what representations the entity made about data security and whether they lived up to those representations.
One criticism that has been lodged against the FTC’s data security actions is that in many cases, there really is no showing of harm or injury to the consumers, who may be protected by their banks for any fraudulent charges on their credit cards. Because most court cases involving data breaches result in dismissal for lack of standing due to absence of demonstrable harm, some (like Michael D. Scott) argue that the FTC should not be able to apply or enforce its powers in cases where you cannot demonstrate that consumers were objectively harmed.
To be clear: I’m hoping the FTC prevails. And if Congress doesn’t like the outcome, then let them get off their asses and introduce legislation that protects consumers from inadequate data security. Congress wanted to avoid legislation and let industry regulate itself, so as not to stifle innovation. All well and good, but with almost every entity suffering data breaches, someone’s got to protect consumers from inadequate security, and the FTC stepped up to the plate. This is no time to go backwards.
The Wyndham case does not strike me as unusual in terms of the grounds the FTC cited for its action. What makes it unusual is that Wyndham didn’t settle and is fighting this. If Wyndham is successful in getting the case dismissed, that will be a serious setback for the FTC. If the FTC wins, I expect we’ll see many businesses paying even more attention to data security.