Lawfare readers will recall that I earlier blogged about the Federal Trade Commission’s case against Wyndham Hotels. Under the mantle of its consumer protection mandate, the FTC has sought to impose civil penalties against those companies who do not adequately protect the personal information of consumers. Wyndham is challenging that authority, arguing that the FTC is not, de jure, a national setter of cybersecurity standards. I called it the “most important cybersecurity case you’ve never heard of.”
That may not be true if Congress acts. Perhaps anticipating a loss (or, more likely, in a “belt and suspenders” type maneuver) the FTC yesterday testified on Capitol Hill seeking additional statutory authority. According to the National Law Journal:
[FTC Chair Edith] Ramirez said she favors making the FTC the sole federal agency in charge of enforcing a uniform set of national data breach notification requirements. Such requirements would compel businesses to notify consumers of a data breach promptly, and also to notify credit bureaus. The FTC has urged Congress to give the agency civil penalty authority against companies that fail to maintain reasonable security.