Some time ago I called Wyndham v. FTC the “most important cybersecurity case you’ve never heard of.” Well, it was decided today. For those who need a reminder, the case involved the FTC’s effort to use its general power to regulate “unfair” business practices as a means of compelling consumer organizations like Wyndham hotels to adopt cybersecurity practices. The argument was that failing to do so was an unfair business practice that (in the words of the statute): “caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” Wyndham argued that enforcing general cybersecurity standards was outside the bounds of FTC statutory authority — an argument supported by an FTC report from 2000 which doubted that the authority existed. And so, today’s decision upholding the FTC’s authority is quite significant. I haven’t had a chance to read the full opinion, but according to the Wall St. Journal:
“In a 42-page ruling, Judge Salas refused to “carve out a data-security exception to the FTC’s authority” to protect consumers, saying Wyndham’s position would “bring us into unchartered territory.” The judge, however, also said her ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
The ruling goes only to the authority to sue, not to the merits of the claim. But as any good lawyer knows, losing the motion to dismiss is tantamount to defeat. Expect a settlement soon. More to the point the ruling will empower the FTC substantially on a broad scale. The FTC’s efforts are currently the only effective aspect of a Federal program to compel the business community to adopt more stringent cybersecurity measures. Cybersecurity legislation is still in the future and the Administration’s NIST Framework remains voluntary. The FTC now has the hammer … and that will be a bit of a game-changer.