Major Challenge to FTC's Cybersecurity Authority Evaporates
Dec 28, 2015 10:15 AM PT
The settlement could have a significant impact on e-commerce in that it ended a major legal challenge to the FTC's extension of its authority into the realm of cybersecurity.
As part of the settlement, Wyndham essentially agreed to abandon its nearly four-year opposition to the FTC's assertion that federal law authorizes it to pursue charges against businesses that fail to protect consumers from cyberthreats.
Each Side Benefits
For its part of the settlement, the FTC effectively withdrew its allegations that Wyndham had violated federal law. However, Wyndham will be required to implement a comprehensive program to improve its protection of consumer information, and the FTC will have oversight jurisdiction.
The settlement was reached after the U.S. District Court for New Jersey and the U.S. Court of Appeals for the Third District supported the FTC's position.
While the appeals court decision may be more important legally, the combination of that ruling and the terms of the settlement "will have a chilling effect on future lawsuits challenging the FTC's authority," said Scott Talbott, senior vice president of government affairs at the Electronic Transactions Association.
Technically the appeals court ruling is only applicable within the 3rd Circuit, but "it creates a precedent confirming the FTC's authority in this area," he told the E-Commerce Times.
"The Wyndham settlement does not preclude other companies from challenging the FTC's cybersecurity authority, particularly in courts outside the 3rd Circuit. Nevertheless, it remains to be seen whether companies will actually choose to do so," said Norman Armstrong, a partner at King & Spalding.
"The Wyndham litigation was the most significant challenge to the commission's cybersecurity authority in recent years. Its decision will be a major hurdle for future challenges, and it is uncertain whether another defendant will choose to invest similar time, energy and resources to relitigate the commission's cybersecurity authority," he told the E-Commerce Times.
Further Challenges Unlikely
"The opinion published by the U.S. Court of Appeals definitively established that the FTC has the authority to enforce cybersecurity standards. Wyndham has opted to settle the case rather than seek further review, and the 3rd Circuit's decision now stands as a clear affirmation of the FTC's authority," said Alan Butler, senior counsel at the Electronic Privacy Information Center.
"I don't think it is likely that other businesses will challenge this basic premise in future cases, though they might seek to challenge future orders on other grounds," he told the E-Commerce Times.
The FTC regarded the Wyndham agreement as a legal milestone in support of its position.
"This settlement marks the end of a significant case in the FTC's efforts to protect consumers from the harm caused by unreasonable data security," said FTC Chairwoman Edith Ramirez.
"Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area," she said.
Wyndham was pleased to reach a settlement, noting that the agreement doesn't hold the company liable for violations or require it to pay any monetary relief, it said.
The company believed it had in place reasonable security and that the FTC's position could harm the franchise business model, it said. The settlement resolves those issues and standardizes what the government considers reasonable security of payment card information.
Wyndham's petition for dismissal faltered over the issue of what constitutes an unfair practice. As outlined in the Federal Trade Commission Act, a business practice is deemed unfair if it is "likely to cause substantial injury to consumers; cannot be reasonably avoided by consumers, and is not outweighed by offsetting benefits to consumers or to competition."
The FTC alleged that three separate data breaches at Wyndham-associated facilities between 2008 and 2009 constituted an unfair practice by causing more than US$10 million in fraudulent charges on consumers' credit and debit cards -- and the transfer of hundreds of thousands of consumer account records to a foreign website.
The commission contended that the company's security program was significantly deficient.
The appeals court ruled that the FTC Act gives the commission broad authority that includes coverage of consumer-related cybersecurity issues.
But since the appeals court addressed only the company's petition for dismissal, resolution of the case and the charges was left to the district court, which approved the settlement through a consent order and retained jurisdiction of the case.
Clues to FTC's Expectations
The provisions of the settlement itself are instructive in terms of the FTC's approach. First, as Wyndham noted, the consent order applies to payment card information only, not to any other categories of personally identifiable information.
The security requirements of the settlement "are aligned with the Payment Card Industry Data Security Standard -- also known as PCI DSS," according to the King and Spalding briefing. "As a result, the requirements may already be contractually imposed on Wyndham through major card brands such as Visa and MasterCard. In line with prior FTC settlements and consent orders, Wyndham must generally comply with the agreed-to terms for a period of twenty years," the firm said.
The citation of cardholder data in the settlement "generally refers to the full payment account number on a credit or debit card, and may also include the cardholder name and expiration date."
Wyndham also has a 10-year obligation to notify the FTC whenever it makes changes to its corporate structure or to the FTC's designated points of contact.
According to the King & Spalding analysis, Wyndham has four significant obligations under the consent order. These are establishing a " 'comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity' of cardholder data," and accepting an annual audit related to security practices.
In addition, Wyndham must obtain an independent assessment and incident report within 180 days of any data breach that involves more than 10,000 payment card numbers. Lastly the company must receive an independent assessor's certification that any " 'significant change' to the company's information security practices complies with approved standards."
More specifically, the assessment must identify "material internal and external risks" to the "security, confidentiality, and integrity" of cardholder data. Sprinkled throughout the agreement are references noting that company efforts must reflect a "reasonable" approach to security measures.
"As with prior settlements involving data security, the agreement lays out a number of steps that companies might follow to help lower the risk of a future data breach, but it is not an exhaustive list. The settlement does not address what a company should do in the event of a breach," said the Electronic Transactions Association's Talbott.
"The settlement will certainly provide useful guidance to future companies and will underscore the need for companies to protect their customers by following industry-standard data security practices," said the Electronic Privacy Information Center's Butler.
"These breaches cause great harm to consumers, and it is the responsibility of companies to provide adequate data security. If they cannot protect it, they should not collect it," he said.