̶ Ask not for whom the bell tolls, it tolls for thee.
John Donne’s famous “Meditation XVII” offers a haunting reflection on humanity. It also serves as an apt reference for the meaning of the recent decision by the U.S. Court of Appeals for the 3rd Circuit upholding the Federal Trade Commission’s (FTC) authority to investigate and take action against companies who fail to protect customers against cyber breaches. This decision inFTC v. Wyndham Worldwide Corp. has been keenly anticipated because Wyndham had argued that the FTC lacks the authority to regulate cybersecurity practices.
The FTC had accused Wyndham of using cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” It further alleged that Wyndham failed to use “readily available security measures” such as firewalls to limit access to its data.
The FTC has been fairly aggressive in bringing suits based on data breaches, having settled 53 cases to date. It argues that it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches. Wyndham, whose computer systems were hacked on three occasions in 2008 and 2009, resulting in the loss of hundreds of thousands of credit and debit card numbers, did not settle. Instead, it took on the agency headlong, suggesting that the FTC has consistently overstepped its statutory authority.
In upholding the FTC’s authority to pursue companies who suffer breaches and whose security practices do not meet evolving industry standards, the 3rd Circuit is effectively putting companies on notice. We can anticipate even more aggressive actions by the FTC. It is useful to read an analysis of the Court’s reasoning, such as the one done in The National Law Review. It will be prudent to take this decision as a harbinger of where regulation and law are headed, and prepare accordingly, before the bell tolls for thee.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
September 1, 2015