Industry groups are worried that an appeals court ruling giving the Federal Trade Commission permission to sue for shoddy cybersecurity will result in overregulation.
Under the decision last week, the U.S. Court of Appeals for the Third Circuit ruled unanimously that the FTC can go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.
{mosads}The hotel company was hit with three significant breaches between 2008 and 2010, resulting in the theft of credit card information of more than 600,000 patrons.
Some are concerned that Monday’s ruling will open the floodgates to more punitive action by the agency.
“We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” said Steven Lehotsky, vice president and chief counsel for regulatory litigation at the U.S. Chamber Litigation Center.
The FTC has brought more than 50 suits against companies over lax cybersecurity, most of which have resulted in settlements.
Its cases rely on the assumption that poor cybersecurity can be considered an unfair or deceptive trade practice — part of the 1914 Federal Trade Commission Act.
Experts say that many companies already consider the FTC to be the cop on the beat and work to ensure their cybersecurity practices don’t draw enforcement attention.
The decision simply “confirms what everyone operating in the field already knew or took for granted,” said Scott Vernick, partner and head of the data security and privacy practice at Fox Rothschild.
Critics of the FTC’s claim to cybersecurity authority say that the agency has failed to lay out clear regulations for companies to follow. They say it relies instead on a vague requirement that companies provide “reasonable” protection to their customers.
The business community has condemned the agency for inappropriately punishing companies for being victims.
“Excessive enforcement by agencies relying on decades-old laws that were not meant to address cybersecurity is not the solution to [a] national security problem,” Lehotsky said.
Some see fears that the FTC will take Monday’s ruling as license to liberally crack down on companies with questionable security practices are overstated.
“From a practical standpoint, I don’t see the FTC deciding that the Third Circuit has now given it a blank check to go out after every company that has a breach,” said Kristine Devine, a communications attorney with Harris, Wiltshire & Grannis.
She characterized the FTC’s cybersecurity actions to date as “judicious,” noting that it has largely limited itself to cases like Wyndham, where the allegations, if true, represent a clear case of deceptive trade practices.
The agency’s case against the hotel chain hinges on its privacy policy, which says that it takes “commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards,” including encryption.
The regulatory agency claims that, contrary to its policy, Wyndham neither encrypted data nor used firewalls — a violation that would be fairly cut-and-dry, experts say.
Devine also points out that the Third Circuit’s decision would only be valid in that jurisdiction. In another circuit, a company might emulate Wyndham and fight the FTC’s right to regulate cybersecurity practices — although it’s unlikely it would prevail.
“I think the Third Circuit’s reasoning is pretty sound, I don’t necessarily think another court would strongly disagree,” Devine said. “[The ruling] is not precedential, but it’s persuasive.”