Regulator accused of overstepping on cybersecurity enforcement

by Elise Viebeck - 03/03/15 5:22 PM ET

A federal consumer watchdog has overstepped its authority by punishing companies for weak cybersecurity, lawyers for Wyndham Worldwide argued Tuesday.

The hotel chain is battling the Federal Trade Commission (FTC) in a high-stakes legal case that will help define the role of the federal government in protecting the security of consumer data online.

{mosads}The 3rd Circuit Court of Appeals heard 90 minutes of spirited oral arguments Tuesday, as Wyndham’s lawyers sought to reverse a district judge’s decision endorsing the FTC’s enforcement authority.

Since 2002, the commission has brought more than 50 legal actions against companies purported to have weak cyber defenses that put consumer data at risk.

Wyndham, which suffered a severe data breach in 2008-2009, is seeking to dismiss the FTC complaint by arguing, in part, that the commission’s action is illegal.

“The commission has simply anointed itself a roving cybersecurity prosecutor — but, unlike other prosecutors, one that seeks to define the offense and to do so after the fact,” Wyndham argued in a court brief.

The case highlights a legal gray area that has become more relevant to companies, as threats from hackers explode in frequency and severity.

Described by experts as the “stopgap regulator” for Internet privacy, the FTC seeks to protect consumer data online using a prohibition against “unfair or deceptive” commercial practices in Section 5 of the Federal Trade Commission Act.

The commission has invoked this authority in bringing legal action against companies it considers to have weak cybersecurity, including many that have suffered data breaches. Firms from Twitter to Fandango to CVS have all been targets of FTC privacy actions since 2002.

Many of the cases have ended in settlements requiring companies to undergo third-party cybersecurity audits for up to 20 years. The FTC is generally not authorized to dole out fines unless they are ordered by law, so many of the settlements do not have a dollar amount attached.   Companies charge that the commission has not sufficiently defined its enforcement standards for cybersecurity.

The Wyndham case might provide the ultimate test.

Lawyers for the company argue that the FTC has no authority from Congress to police corporate cybersecurity and that it has not pursued authority through the appropriate notice and rule-making procedures.

Wyndham also argues it was not at fault in the data breach — that its practices were not “unfair” or “deceptive.” The hack resulted in the theft of hundreds of thousands of customers’ private information.

Legal experts predicted that the 3rd Circuit ruling will be a watershed moment in cybersecurity law with major consequences for companies and consumers.

“It is a tremendously significant, wildly significant case,” said Fred Cate, a cybersecurity expert and professor at Indiana University’s Maurer School of Law.

“If the FTC cannot use its authority under Section 5, then all bets are off. If they get they the green light, they might be emboldened to use that power much more broadly.”

Woodrow Hartzog, a law professor at Samford University and noted expert on the FTC, argued that a decision against the commission could harm consumers.

“The FTC is the nation’s most significant regulator for privacy and data security,” he wrote in an email to The Hill.

“If it loses the ability to regulate data security as an unfair and deceptive trade practice, consumers will be less protected against unreasonable data security practices and, as a result, more vulnerable.”

The Wyndham legal team is facing an uphill battle, experts said.

U.S. District Judge Esther Salas, an appointee of President Obama, ruled for the FTC in April, and many in the legal community believe the 3rd Circuit will back her decision.

Still, the FTC did not get a pass from the three-judge panel in court on Tuesday.

Judge Thomas Ambro, an appointee of President Clinton, reportedly questioned whether the FTC gives companies sufficient notice that their cyber practices are “unfair.”

In February, judges asked the lawyers to prepare to discuss whether unreasonable cybersecurity practices are “unfair” under the FTC Act. Some experts described this as a sign that the case is not necessarily a slam dunk for the government.

“I would not at all be surprised if the case went to the Supreme Court,” Cate said. “And if in fact this went against the FTC, Congress would almost certainly have to act because we would be left without a security regulator with authority across the economy.”

The FTC and lawyers for Wyndham declined requests to comment.