Court ruling leads to fears of FTC litigation on cybersecurity
August 28, 2015
Katie Bo Williams
Industry groups are worried that an appeals court ruling giving the Federal Trade Commission permission to sue for shoddy cybersecurity will result in overregulation.
Earlier this week, the 3rd Circuit U.S. Court of Appeals ruled unanimously that the FTC can go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.
The hotel company suffered three significant breaches between 2008 and 2010, resulting in the theft of credit card information for more than 600,000 patrons.
Some are concerned that Monday’s ruling will open the floodgates to more punitive action by the agency.
“We are concerned that Monday’s decision will exacerbate the unfortunate trend over the last 10 years of ad hoc litigation and overregulation when it comes to cybersecurity,” Steven Lehotsky, vice president and chief counsel for regulatory litigation at the U.S. Chamber Litigation Center, told The Christian Science Monitor.
The FTC has brought more than 50 lawsuits against companies over lax cybersecurity, most of which have resulted in settlements.
Its cases rely on the assumption that poor cybersecurity can be considered an unfair or deceptive trade practice, outlawed by the 1914 Federal Trade Commission Act.
Experts say that many companies already consider the FTC to be the cop on the beat and work to ensure their cybersecurity practices don’t draw enforcement attention.
The decision simply “confirms what everyone operating in the field already knew or took for granted,” said Scott Vernick, partner and head of the data security and privacy practice at Fox Rothschild.
Critics of the FTC’s claim to cybersecurity authority say that the agency has failed to lay out clear regulations for companies to follow. They say it relies instead on a vague requirement that companies provide “reasonable” protection to their customers.
The business community says the companies are also victims and has condemned the agency for inappropriately punishing them.