I apologize for not posting anything the last week or so. I’ve been inordinately busy, between some family issues and work. I should be back on schedule for the foreseeable future.
FTC v. Wyndham represents one of the more important recent cases, at least in the realm of cybersecurity. The case arises from an FTC lawsuit against Wyndham, claiming that the hotel chain failed to properly implement its own security policies. As a result of these poor security practicies, hackers managed to break into Wyndham’s network and steal customers’ credit card information on three separate occasions (in 2008 and 2009). The FTC seeks the ability to regulate cybersecurity, mostly by holding companies to their their own data security policies and procedures. FTC v. Wyndham recently experienced a major movement forward, as the US District Court in New Jersey recently rejected Wyndham’s motion to dismiss.
In some ways, this case has the greatest implications on cybersecurity regulation of any active US government effort. By seeking to hold Wyndham responsible for the data breach, the FTC is claiming a rather broad regulatory authority under its consumer protection mandate. Specifically, the FTC claims that their authority to establish or enforce existing data security policies derives from a rule prohibiting “unfair or deceptive acts in or affecting commerce” in Section 5 of the FTC Act. The FTC argues that failing to adhere to data security policies results in considerable consumer harm, rendering the lack of effective data security policies “unfair.” For those interested, this Lexology article contains a rather detailed run down of both the FTC an Wyndham’s arguments. If the FTC possessed this authority, they could become the major entity for cybersecurity regulation in the US government. The current Cybersecurity Framework is mostly advisory, and only really applies to entities engaged in a great deal of government contracting (since the agencies can use the Framework when making contracting decisions). That leaves a significant gap in the government’s regulatory authority, since the Framework possesses no power over private sector entities not engaged in government contracting.
The final result of this case remains to be seen. However, the FTC has survived an important hurdle in the form of a motion to dismiss. It should be interesting to see how the court rules in this case.