The tweets and shares this morning were frequent and deluged with the recent ruling in favor of the U.S. Federal Trade Commission (FTC). In a long-awaited and precedential ruling, the U.S. Court of Appeals for the third circuit upheld a 2014 ruling by a lower court in which Wyndham Worldwide Corp sought to have the case against the FTC dismissed. The lower court denied that motion, and the Circuit Court of Appeals granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S. Code § 45(a) and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.
Commissioner Julie Brill tweeted: that it was “a great win for @FTC & consumers. We will continue to be tireless cop on beat of consumer.”
In affirming the lower court’s ruling 3-0, the Court of Appeals has permitted the case to move forward and determined that the FTC has authority to regulate corporate cybersecurity, and may pursue a lawsuit against corporations (in this case Wyndham) accusing them of failing to properly safeguard consumers’ information.
What happened? In 2008 and 2009, Wyndham had three incidents where hackers breached their computer systems and stole consumer data – mainly credit card data along with other personally identifiable information on over 619,000 consumers, totaling more than $10.6 million in fraudulent charges to those consumers. The FTC felt that Wyndham’s business practices put the consumers at risk.
Without a decision on the merits, here is what the appellate court noted about the FTC’s arguments that Wyndham failed to:
- Store payment card information securely (stored in clear text);
- Require complex passwords to access the systems (permitted easy-to-guess passwords);
- Use common security practices, such as firewalls, to limit access;
- Control network access with appropriate cybersecurity precautions (permitted outdated operating systems, used default passwords, lacked appropriate policies, and failed to inventory connected devices);
- Restrict third party access to networks;
- Employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations; and
- Follow proper incident response procedures (hackers used the same method each time).
Awaiting this decision eagerly, the privacy community (and other communities as well) have debated whether Wyndham’s argument that unless the FTC publishes a cybersecurity guide detailing the standards to which it expects companies to uphold, the FTC cannot pursue a company for unfair cybersecurity practices. The Court of Appeals demolished this belief. “In sum, we have little trouble rejecting Wyndham’s fair notice claim,” Circuit Judge Thomas Ambro said. He held that Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.'”
So while cybersecurity itself may not necessarily be within the purview of the FTC, unfair business practices are – and shoddy cybersecurity is unfair to consumers.
My recommendations: update your cybersecurity program, review your online privacy statement for accuracy, and for goodness sake – if you have a breach, plug the durn hole.