Court Bolsters FTC’s Authority to Regulate Cybersecurity

Companies that experience data security breaches have a lot to worry about — but their problems encompass much more than responding to irate consumers.

The business community also has to worry about the U.S. government, which can penalize e-commerce companies for failing to provide adequate protection for consumers’ personal data.

A recent federal court ruling could provide the federal government with more muscle for cracking down on companies whose faulty information technology practices result in the theft or exposure of personal data.

The ruling, issued in late August, stemmed from litigation involving the U.S. Federal Trade Commission and Wyndham Worldwide, an operator of hotels and resorts.

The FTC had filed a complaint in U.S. district court, charging Wyndham with engaging in unfair business practices for having failed to provide adequate protection for electronically processed consumer data. The court denied Wyndham’s petition for a dismissal of the case.

Wyndham then asked the U.S. Court of Appeals (Third Circuit) to override the denial and grant a dismissal of the FTC’s charges. The appeals court ruled in favor of the FTC in a decision that appears to have reinforced the commission’s authority to regulate cybersecurity.

Focus on Unfairness Rule

Wyndham’s data security failures led to three breaches at company-affiliated facilities in less than two years, the FTC alleged, resulting in millions of dollars of fraudulent charges on consumers’ credit and debit cards, as well as the transfer of hundreds of thousands of consumer account records to a website registered in Russia.

The company’s security failure amounted to an unfair business practice, the commission claimed, based on its determination that a business practice is unfair if it causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and is not outweighed by offsetting benefits to consumers or to competition.

Those standards alone were not sufficient to support the FTC’s charges, Wyndham contended, arguing that the company’s actions could not be judged illegal under the “plain meaning” of unfairness: that a practice is unfair only if it is “not equitable.”

The appeals court rejected that argument, noting that “a company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cyber security, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Federal Trade Commission Act does not cover cybersecurity activities specifically, Wyndham also contended.

The court rejected that argument, noting that the law’s intention is to give the FTC the ability to cover a broad range of business practices.

The FTC failed to provide Wyndham with fair notice of its cybersecurity jurisdiction, the company maintained.

However, the court ruled that the FTC’s vigorous cybersecurity activities were public knowledge, and that companies engaged in e-commerce should anticipate the regulatory consequences of security failures.

Not Over Until It’s Over

Despite the appeals court ruling, all is not yet lost for Wyndham. The appeals court decision addressed the company’s petition for dismissal of the case — not the underlying FTC enforcement action. Since the dismissal request has been denied, FTC v. Wyndham now can proceed in the district court.

“While we are disappointed by the opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” said Michael Valentino, vice president of marketing and communications at Wyndham.

“It is important to note that [the appeals court] opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value,” he told the E-Commerce Times.

“Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded. Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries,” Valentino said.

The FTC welcomed the appeals court ruling. The decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

FTC’s Position Gains

“I think this is a strong, though not unexpected, victory for the FTC,” said Gautam Hans, policy counsel at the Center for Democracy & Technology.

The commission’s ability to regulate data security under the ‘unfairness’ prong has been crucial in its data security cases, and it is important that the agency continue to do so, especially given the widespread scale of data breaches,” he told the E-Commerce Times.

“The FTC will likely view the Third Circuit’s decision as a vindication of its privacy and data security enforcement and policy activities to date. The Third Circuit’s decision comes at a time when the FTC’s role as the nation’s privacy regulator has never been stronger,” said Chris Cole, a partner at Crowell and Moring.

“The decision cements the FTC’s authority to bring lawsuits over a whether a business’s cybersecurity practices are unfair or deceptive,” Scott Talbott, SVP of government affairs at the Electronic Transactions Association, told the E-Commerce Times.

The appeals court decision likely will business opposition to the FTC’s authority to regulate cybersecurity practices. Thus, the burden will fall on businesses to prove they were not responsible for any data breach — a difficult task.

Security an E-Commerce Priority

“It will always be hard for companies to defend themselves when they fail to take reasonable precautions to protect sensitive financial information. If these companies can’t protect this data, they should not collect this data,” said Alan Butler, senior counsel at the Electronic Privacy Information Center.

“This is a significant victory for the FTC and for American consumers. Data breaches are occurring with increasing frequency, and it is critical that the FTC use its enforcement authority to ensure that companies are meeting their data protection obligations,” he told the E-Commerce Times.

“Companies cannot simply collect and retain sensitive personal information about their customers without taking the steps necessary to ensure that the data is not improperly accessed or disclosed. Data collection triggers privacy obligations, and the FTC clearly has the authority to enforce those obligations,” Butler said.

“Congress is watching this case closely,” said ETA’s Talbott. “Currently, Congress has before it a number of bills that would establish a national standard for protection of customers’ data. In the absence of legislation, cases like this one are establishing these standards.”