3 minute read.
Welcome back to the CRO blog. Last week we discussed incorporating data security standards in business contracts. This week we’ll shift our focus to how the Federal Trade Commission plays a role in cybersecurity by breaking down the first of three FTC circuit court cases.
What role does the Federal Trade Commission play, with respect to cybersecurity?
The FTC has been around since 1914, broadly regulating industry in the United States. It’s made up of an anti-trust division and a consumer protection division. The consumer protection division enforces against unfair or deceptive acts or practices.
The FTC decided that cybersecurity practices that result in consumer harm, are unfair. That might seem like an interesting definition, but the definition of unfairness under the FTC Act is any act or practice that harms consumers that a reasonable consumer could not have avoided, and that is not outweighed by benefits to the consumer or competition.
FTC vs. Wyndham Worldwide Corporation:
This is to date, one of the cybersecurity cases that has gone to the Third Circuit Court of Appeals. The decision is from August 24th, 2015. Wyndham Worldwide Corporation is a worldwide hospitality company. They have timeshares. They have resorts. They have hotels. They have motels. They have everything related to accommodation and hotels.
The Wyndham case is a really good example of what you never want to do. Many times, there’s a strategy. When you’re trying to develop the law, and it can be summarized as good facts make good law. The corollary of that of course is, bad facts make bad law, and that happens a lot too.
The Facts:
Wyndham, being a hospitality company, cares most about location, location, location, worldwide, everywhere. Right? Every single one of those locations has to somehow talk to one another. They’re going to have a data network. But the problem was that many of their locations didn’t even have a firewall, basic password management, or requirements.
Their data network was essentially wide open. It was exploited, in fact, it wasn’t exploited once, not twice, but three times. On that third time, the FTC put a stop to it. They sighted Wyndham for not utilizing reasonable data security and violating the unfairness. Basically, all their consumers were getting hurt with identity theft and credit card fraud. They really couldn’t have done anything about it. They didn’t know that Wyndham was so poorly secured.
The FTC ended up suing Wyndham. Wyndham lost in the district court, and of course, they appealed.
The Questions:
There are really two questions that the Third Circuit Court of Appeals asked:
- Can the FTC regulate cybersecurity under the unfairness prong of the FTC Act?
- Did Wyndham have fair notice that it’s cybersecurity practices could violate the FTC Act?
The first is a substantive question. The second is what we would call a due process question.
Was Wyndham ignorant of the law?
The argument Wyndham made was that, “Hey. We didn’t know.” Generally speaking, ignorance of the law is no excuse. This is a situation where they were arguing something a little more sophisticated than that, which is basically, “Hey you violated our due process rights because we didn’t have fair notice that our practices, even possibly could violate the FTC Act.”
Is Wyndham a victim?
Yes. One could say. On one level Wyndham is definitely a victim. They were hacked three times. They’re a victim in so far as they were hit, as we’ve talked about when discussing reasonable cyber security standard. Basically, we’ve decided that you can’t just do nothing, and hope you don’t get attacked. As a business owner, maybe even as a person, you have some affirmative duty to defend the data that you collect.
Did Wyndham violate the law?
The answer, of course, is yes, absolutely. The Third Circuit Court agreed with the FTC’s analysis. They agreed there’s nothing that a reasonable consumer could have done to avoid the situation. They suffered harm and ultimately that’s what’s needed for unfairness.
The Wyndham case is not particularly useful in terms of a, “what should I do,” kind of question. It’s important because it gives the FTC the authority to make these kinds of rulings on cybersecurity cases, and it’s not going anywhere.
Check back next week to find out what FTC case we dive into next.