Government Regulation of Cybersecurity Practices: FTC v. Wyndham Worldwide Corp.
“You might want to check your [insert business name] account. They’ve been hacked.”
Marie Claire Langlois*
It is a warning heard far too often. Companies from Target to Sony, from Home Depot to JPMorgan Chase, are all recovering from the malicious attacks of hackers intending to steal thousands of client’s identities for their own benefit. Kevin Granville, 9 Recent Cyberattacks Against Big Businesses, N.Y. Times, (Feb. 5, 2015), http://www.nytimes.com/interactive/2015/02/05/technology/recent-cyberattacks.html. Since many times the hacker’s identities are never known, private consumers can only bring legal action against the businesses holding their personal information by alleging insufficient protection for commercially unreasonable cybersecurity practices. Alison Frankel, Thanks to 3rd Circuit, companies are accountable for lax cybersecurity, Reuters (April 24, 2015), http://blogs.reuters.com/alison-frankel/2015/08/24/thanks-to-3rd-circuit-companies-are-accountable-for-lax-cybersecurity/, ¶ 2.
Historically, judges have found against plaintiffs who are only capable of alleging potential future damages from a cybersecurity hack, thereby creating a system where only plaintiffs who have currently suffered financial loss can find relief. See Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012); see also Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011). By the courts stating that individuals who have not yet suffered financial loss cannot allege a sufficient injury, it leaves consumers with nothing to ease their concerns and provides little comfort to those still vulnerable to an attack. See generally Frankel, supra. As a result, businesses could likely find it more profitable to simply pay off the legal suits from consumers, whose information has been stolen, instead of actually fixing their deficient cybersecurity practices, leaving a high probability of future victims. Id.
It is still undetermined what exact legal remedy the government has in prosecuting businesses with inadequate cybersecurity policies, and while there are many federal statutes addressing cybersecurity in some form, there has previously been no general federal duty to protect personal data. Eric G. Orlinsky, Kathryn L. Hickey & David T. Shafer, Cybersecurity: A Legal Perspective, 47 Md. B. J. 33, 36, (Nov./Dec. 2014). A recent court decision has overturned all of this; drastically changing the way businesses will have to approach their cybersecurity ethics in the future. Frankel, supra.
On August 24, 2015, the United States Court of Appeals for the Third Circuit heard an interlocutory appeal on a denied motion to dismiss from the United States District Court for the District of New Jersey. F.T.C. v. Wyndham Worldwide Corp., No. 14-3514, 2015 WL 4998121, at *1 (3d Cir. Aug. 24, 2015). The Federal Trade Commission (the FTC) filed its complaint, under 15 U.S.C. § 45(a), based on multiple factual allegations that Wyndham Worldwide, and its subsidiaries, had fallen below the commercially reasonable standard in regards to their cybersecurity practices. Id. at *2. The FTC relied heavily on the fact that, between 2008 and 2009, Wyndham had been the target of three separate cyber security hacks, which resulted in hackers obtaining information of over 619,000 customers and $10.6 million in fraud loss. Id. at *3. Many of the corrupt procedures which allowed these breaches to happen have not subsequently been updated or altered, and yet Wyndham still claims on their website to meet “commercially reasonable” benchmarks in regards to their security systems. Id. at *2.
Wyndham requested an interlocutory appeal claiming that the FTC had no regulatory power over a business’s cybersecurity practices under 15 U.S.C. § 45(a), and even if they did, that Wyndham did not have fair notice that their cybersecurity choices did not pass such requirements. Id. at 1. The court found these arguments unpersuasive, and affirmed the district court opinion. Id. at *16.
The effect of this decision cannot be overstated. Starting in 2005, the FTC tried bringing administrative actions for similar claims involving deficient cybersecurity practices, but many of them have ended in settlement. Id. at *1. Until this decision, the courts had not had an opportunity to discuss whether the FTC rightfully had this supervisory authority. Frankel, supra. In effect, this decision is ratifying that the FTC has the right to personally regulate business’s cybersecurity plans, giving the government another effective method to protect the nation against unfair business practices. See Steven Wildberger, Federal Appeals court: FTC has power to regulate corporate data-security practices, Jurist, (Aug. 25, 2015), http://jurist.org/paperchase/2015/08/federal-appeals-court-ftc-has-power-to-regulate-corporate-data-security-practices.php.
This decision will allow the FTC to continue pursuing businesses with faulty cybersecurity systems, and could potentially prevent subsequent breaches, protecting more and more consumers before they are victims of a financial hack. It is also possible that businesses will stay on top of their cybersecurity protocols in order to prevent expensive lawsuits, which ultimately result in unprofitable measures. While we have yet to see the final outcome of the Wyndham case, where the court will ultimately interpret 15 U.S.C. § 45(a) and its factual connection to cybersecurity, if the trial court sees things similar to the appellate court, it seems likely that Wyndham will lose. Wyndham Worldwide Corp., 2015 WL 4998121 at *5 (2015). As the official opinion states:
Such a decision will hopefully set a final precedent, allowing the FTC to generally regulate unfair security practices, which would encourage higher cybersecurity ethics across the United States. As a result, consumers might finally have a practical safeguard against financial fraud and cybersecurity breaches.
* Marie is a second year law student at the University of Baltimore School of Law, serving as Publications Chair for the Women’s Bar Association, Law Scholar for Professor Byron Warnken, and Staff Editor for Law Review. After spending four years in Columbus, Ohio, and graduating magna cum laude with a Bachelor’s in Fine Arts, Marie moved back to her home state of Maryland to pursue a job in media sales. In 2014, Marie directed her focus to a more fulfilling venture into law, with the intention to more directly aid the people and businesses of her community.