Mass collection and storage of consumer information \u2013 including sensitive and personal information \u2013 is a fact of life in today\u2019s marketplace. So are hacks and data breaches. In more than thirty states there are laws that require consumers to be notified of a data breach, and there are bills in both the Senate and the House that would result in a federal breach notification standard. However, these laws only take effect after information has been exposed.<\/p>\n
But now, thanks to a recent ruling by The U.S. Court of Appeals for the Third Circuit, the Federal Trade Commission (\u201cFTC\u201d) has a way of helping prevent consumers\u2019 information from being exposed in the first place: the power to declare cybersecurity acts or practices \u201cunfair\u201d under the Federal Trade Commission Act. Moreover, the FTC has the power to impose monetary penalties on, or require oversight or other remedies for, companies whose cybersecurity flunks FTC scrutiny.<\/p>\n
In Federal Trade Commission v. Wyndham Worldwide Corporation, et al.<\/em> (3rd Cir. Aug. 25, 2015), hackers accessed the Wyndham hotel and resort chain\u2019s computer systems three separate times in 2008 and 2009, successfully stealing consumers\u2019 personal and financial information (including names, addresses, and payment card and account information). The cyber attacks resulted in fraudulent charges to consumers exceeding $10.6 million, as well as losses to consumers of time and money. Among other things, the FTC found that consumers bore unreimbursed fraudulent charges, lost access to funds, experienced increased costs, and were forced to spend time resolving fraud and mitigating subsequent harm.<\/p>\n Still, it appears that the FTC is ready to use its authority in situations where businesses fail to employ reasonable cybersecurity measures…<\/p><\/blockquote>\n According to the FTC\u2019s complaint, hackers were able to gain access due to the following deficiencies in Wyndham\u2019s cybersecurity operations: Wyndham failed to encrypt sensitive information (Wyndham left information in a clear and readable form); used easily guessed passwords; failed to use readily available security features, such as firewalls; allowed access to its network from systems that were outdated or lacked important security updates; failed to impose reasonable restrictions on who could access information in its systems; failed to take measures to detect and prevent unauthorized access to its network; failed to monitor its network; and made untrue claims about how consumers\u2019 information was being protected. In the FTC\u2019s view, these acts (or omissions) and practices amounted to unfair cybersecurity practices.<\/p>\n Judge Thomas Ambro, writing for himself and Judges Scirica and Roth agreed, holding that the Federal Trade Commission Act (15 U.S.C. \u00a7 45(a)) (the \u201cAct\u201d) grants the FTC the authority to regulate cybersecurity practices under standards for unfairness. Wyndham had challenged this because Congress had, on prior occasions, enacted targeted cybersecurity protections, which the FTC supported, and which, Wyndham argued, precluded the \u201cfairness\u201d action here. The Third Circuit disagreed. The \u201c[FTC] unfairness actions against companies whose inadequate cybersecurity resulted in consumer harm [are] not inconsistent with the agency\u2019s earlier position\u201d supporting targeted legislation. Wyndham had also objected that it lacked fair notice that its cybersecurity practices fell short of the Act\u2019s requirements. The Third Circuit rejected this because Wyndham \u201ccould reasonably foresee that a court could construe [Wyndham\u2019s] conduct as falling within the meaning of the statute.\u201d<\/p>\n The Wyndham <\/em>case involved a motion to dismiss, so we may not have heard the end of this story yet. Still, it appears that the FTC is ready to use its authority in situations where businesses fail to employ reasonable cybersecurity measures and harm results to consumers, or substantial consumer injury is likely. Although critics argue that the rule is vague, there are guidelines that businesses can follow. For example, businesses can review the FTC\u2019s guidance and past actions related to cybersecurity, and can visit the FTC\u2019s Business Center website (where the FTC posts privacy and data-breach-related suggestions). Businesses can also follow trade group or industry-specific-recommended practices or standards.<\/p>\n Meanwhile, Wyndham\u2019s <\/em>message for businesses (and their counsel) is loud and clear: failing to take cybersecurity seriously creates a wide range of risks, for a company and its customers.<\/p>\n","protected":false},"excerpt":{"rendered":" Mass collection and storage of consumer information \u2013 including sensitive and personal information \u2013 is a fact of life in today\u2019s marketplace. So are hacks and data breaches. In more than thirty states there are laws that require consumers to be notified of a data breach, and there are bills in both the Senate and<\/p>\n","protected":false},"author":5,"featured_media":255,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12,52,20],"tags":[],"coauthors":[75],"class_list":["post-620","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alumni-authored","category-compliance","category-technology","masonry-post","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"yoast_head":"\n