One of the year’s most significant cybersecurity policy developments didn’t emerge from Capitol Hill or the White House, but was delivered on Aug. 25 by a U.S. appeals court in Philadelphia.
A ruling by a three-judge panel of the 3rd Circuit Court of Appeals strongly affirmed the Federal Trade Commission’s broad authority to punish companies for failing to secure the data they collect from customers.
Industry groups and Republican lawmakers assert that the FTC uses ambiguous standards when applying such enforcement authority, and that the commission has never spelled out its data-security expectations.
Senate Judiciary Chairman Chuck Grassley, R-Iowa, Commerce Chairman John Thune, R-S.D., and Republicans on the House Energy and Commerce and Financial Services committees have all said new data-security and breach notification legislation is needed — in particular to clarify the FTC’s role.
But the senators have yet to produce bills and two competing measures have stalled in the House. Congressional sources last week said there are still no plans to address the issue this fall.
In the absence of clear guidance from Congress on the FTC’s role, regulators and the courts continue to define the policy.
The commission, using its powers under the 1913 FTC Act, says companies that fail to provide adequate security for consumer data are engaged in an unfair or deceptive practice.
In this case, the FTC brought an enforcement action against resort operator Wyndham Worldwide after 619,000 customer records were illegally accessed in three separate breaches. Over $10 million in fraudulent charges were applied to customers’ credit cards, according to the FTC.
The appeals court agreed last week that the FTC complaint could proceed at the federal district court level. The court of appeals used unusually strong language in criticizing Wyndham’s cybersecurity practices.
Wyndham should’ve been on notice after the first — or certainly after the second — breach that it might risk legal liability by failing to better secure its customers’ data, the court found.
The appeals court decision follows a similar ruling by a federal district court and clears the way for the FTC to pursue a lawsuit against Wyndham. The company has not said whether it will appeal to the Supreme Court but asserts that it can defeat the FTC’s charges on the merits.
“Today’s 3rd Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Wyndham was backed by business groups like the U.S. Chamber of Commerce and National Federation of Independent Business in arguing that the FTC exceeded its authority. The business community is concerned that over-zealous enforcers at the FTC can arbitrarily decide if and when a company’s cybersecurity practices are inadequate.
On the other side, public-interest groups lined up behind the FTC.
“Wyndham claimed that the plain language of the FTC Act … didn’t allow for the agency to regulate data security,” according to the Center for Democracy and Technology, which earlier in the process filed an amicus brief in support of the FTC. “Wyndham argued that the FTC Act’s prohibition on unfair practices was too vague and broad here. However, because the FTC Act contains a balancing test for unfairness claims, it’s not surprising that the court didn’t buy this argument.”
The CDT added: “In response to Wyndham’s claims that broad unfairness enforcement would lead to regulation of even the most minor of business practices, potentially threatening businesses that are ‘sloppy about sweeping up banana peels,’ the court wryly observed that any business that allowed 619,000 customers to slip on banana peels should hardly be immune from liability.”
The White House and congressional Democrats made data security and breach notification legislation a top priority this year. The Obama administration wants to formally enshrine the FTC’s authority in law.
In the meantime, the commission hasn’t been shy about exercising its enforcement powers.
In July, for instance, the FTC sent LifeLock’s stock price plummeting when it asked a federal court to impose penalties on the company for allegedly failing to live up to an earlier legal settlement. The commission said LifeLock continued to make false claims about its online identity protection and data-security services, even after a 2010 settlement with the FTC and 35 state attorneys general.
Former Homeland Security Secretary Tom Ridge serves on the LifeLock board of directors, and put out a statement strongly supportive of the company and its practices. The company itself rejected the allegations and said it had engaged in good-faith efforts to settle the case with the commission.
Regardless, the company’s stock price fell by 50 percent within hours of the FTC move, demonstrating the commission’s power in this space.
The Obama White House is well-aware that the FTC could take a different, less aggressive enforcement stance under a new administration, and wants to codify its authority before leaving office.
There is actually a substantial amount of overlap in positions over data-breach issues and FTC authority. Businesses and consumer groups alike see benefits in setting uniform national standards. But the differences are significant as well, and it seems highly unlikely that there’s enough time to reach a compromise this year.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
