The case is Federal Trade Commission v. Wyndham Worldwide Corporation, a civil suit brought in the District of Arizona by the FTC relating to a cybersecurity breach at Wyndham. To understand why the case matters quite a bit, we need to step back and understand the FTC.
The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception – in other words an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the consuming public that were false. As you may imagine allegations of that sort are often very fact specific and tied to particular circumstances.
The second ground for FTC enforcement is a broader one – that a company has engaged in “unfair” business practices. In other words that a company “caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.”
The FTC suit against Wyndham is tied to a breach of Wydham’s computer systems by a Russian criminal organization that, allegedly, resulted in more $10 million in fraud losses. It seeks a permanent injunction, directing Wyndham to fix its cyber systems so that they are more secure and unspecified damages.
The suit asserts both grounds for FTC jurisdiction. It first alleges that Wyndham’s privacy policy about how they will maintain the security of information about their customers is deceptive – in other words that Wyndham made cybersecurity promises it couldn’t keep. The suit also alleges that, systematically, Wyndham’s failure to provide adequate cybersecurity for the personally identifiable information of its customers is an unfair business practice.
This type of lawsuit by the FTC is not unusual. These legal theories have been the foundation, for example, of the FTC’s investigation of Google, Twitter and HTC, and its investigation of data breaches at large consumer companies like Heartland. In almost all of these cases, the FTC deploys some combination of the argument that a company has misled the public about the nature of its cybersecurity (“deception”) or that it has failed to invest adequately in cybersecurity measures (“unfair practices”). Until now, all of these actions have resulted in out-of-court settlements, leaving the validity of the FTC’s legal theories untested.
It is fair, I think, to say that at this point in time the FTC’s efforts are the only effective aspect of a Federal program to compel the business community to adopt more stringent cybersecurity measures. [I use “effective” here in a descriptive manner, as it is indisputable that the FTC’s efforts are having an effect. Whether, as a normative matter, those effects are good or bad is a different question.] Cybersecurity legislation is still in the future and the Administration’s Executive Order remains in development. The FTC is the only effective game in town.
But now – in the Wyndham case — the FTC’s authority is being questioned. As the Wall Street Journal recently reported, Wyndham is challenging the basic premise of the FTC’s suit, arguing that consumer protection statutes cannot be stretched to cover cybersecurity issues. Wyndham has argued that the lawsuit exceeds FTC’s enforcement authority – a position supported by the Chamber of Commerce.
The principal evidence that the FTC may be acting beyond its authority is its own report from 2000, in which it asked Congress to expand its legal authority to consider security breaches as consumer-protection issues. Congress has never acted on that request, but the FTC has decided to proceed anyway. Indeed, as Wyndham notes, there are a host of more specific data-security laws already on the books (HIPPA; COPPA; Graham-Leach-Bliley; Fair Credit Reporting), suggesting that there has not been a broad, general grand of data-breach security regulatory authority to the FTC.
Now, we can see why this is a significant matter. In the absence of comprehensive cybersecurity legislation and while we are waiting for the cybersecurity standards of the Executive Order to be developed, the only effective method for cybersecurity regulation by the government is to use the FTC;s enforcement authority. If, in the end, it turns out that the FTC lacks the authority it has been asserting then … well, then the government will be without any real authority to compel cybersecurity improvements. Some will see that as a victory; others as a defeat – but either way it will be quite important. We’ll keep an eye on Wyndham as it moves forward.