Courts Affirm FTC Authority to Punish Companies for Lax Cybersecurity
Since 2002, the Federal Trade Commission has been pursuing businesses for sub-substandard cybersecurity practices under Section 5 of the FTC Act, which empowers the FTC to crackdown on unfair business practices.
The law didn’t explicitly grant the FTC the power to regulate cybersecurity, but until 2012, no company had ever challenged the FTC’s authority, always choosing to settle with the agency. Settlements usually included a package of data security reform and program monitoring, often for as long as 20 years.
However, in 2012, the hotel chain Wyndham Worldwide challenged the FTC’s imposition of reform in court after the company suffered a data breach in 2008 and 2009, arguing that the “unfair” clause didn’t cover cybersecurity. Hackers obtained the credit card information, which had been unencrypted on Wyndham’s database, on over half a million customers after they successfully brute-forced an administrator’s account.
The FTC alleges that Wyndham made avoidable security errors, such as storing customers’ information in clear-text, using easily guessed passwords for administrators, and not setting up a firewall on the hotel management system, and the corporate network.
On Aug. 24, the Third Court of Appeals ruled in a 3–0 decision that Section 5 of the FTC Act did in fact empower the agency to prosecute lax cybersecurity practices, establishing a firm legal foundation for the FTC’s existing enforcement practices.
The judges rejected Wyndham’s argument that it wasn’t sufficiently warned about what regulations it would be subject to, known as “fair notice” in legal jargon, citing a 2007 FTC guide that recommended, but did not require, a list of security practices that covered many of the charges the FTC made against the hotel chain.
“The guidebook does not state that any particular practice is required by [the status] but it does counsel against many of the specific practices alleged here,” the decision reads. “It recommends that companies ‘consider encrypting sensitive information that is stored on [a] computer network . . . check . . . software vendors’ websites regularly for alerts about new vulnerabilities, and implement policies for installing vendor approved patches.'”
The FTC has sought enforcement measures against more than 50 companies since 2002, and is currently considering pursuing a case against the retail giant Target, which lost the financial information of over 40 million customers in a 2013 data breach.