The U.S. Court of Appeals for the Third Circuit ruled last month that the Federal Trade Commission has the power to take action against businesses that fail to protect consumer data from hackers and cyberthieves. It is important that the FTC wields this new authority to regulate corporate information security practices wisely.
The FTC alleged that the Wyndham hotel chain failed to live up to its promise to protect its customers’ data from being compromised, and as a result, hackers stole personal and financial information about hundreds of thousands of customers.
In total, consumers faced $10.6 million in fraudulent charges. Wyndham tried to have the FTC’s case dismissed on the grounds that it did not have the authority to regulate its cybersecurity practices, but the court sided with the FTC.
Although Wyndham will still have its day in court to defend itself against the FTC’s allegations that it did something wrong, this decision will allow the FTC to hold companies accountable for failing to uphold their public commitments to good security.
Wyndham argued that the FTC’s authority to police unfair and deceptive practices does not apply to cybersecurity. The company reasoned that extending this authority would lead to overzealous oversight, such as the FTC suing grocery stores for being “sloppy about sweeping up banana peels” if a few customers slip and fall. This argument did not persuade the court.
In its Aug. 24 decision, the court said that if a company attracts customers who are concerned about data privacy and then fails to make good on its promises for cybersecurity leading to substantial financial injury for those customers, then the FTC can pursue that company for the practices in question. Furthermore, the court remarked that “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”
The court rightly held that the FTC has the authority to take action against companies with lax information security practices because there is no question that exposing personal information, such as credit card numbers and home addresses, has the potential to cause substantial harm to consumers.
A BASIC TEST
“Substantial injury” has long been one of the basic tests of unfair competition under the Federal Trade Commission Act. The FTC first issued a policy statement to that effect in the mid-1960s. Then, in 1980, it issued a second policy statement clarifying that not every consumer injury is legally “unfair.” The injury has to be substantial; it cannot be outweighed by countervailing benefits for consumers or competition; and it must be an injury that consumers themselves could not reasonably have avoided. A decade and a half later, Congress codified those conditions into law through the FTC Act Amendments of 1994.
Although the court has established that the FTC has authority to take legal action against “unfair” information security practices, the FTC should nonetheless exercise discretion in how it uses this oversight. The goal of its enforcement actions should be to spur companies to invest in information-security countermeasures that protect consumers.
If the FTC uses its oversight haphazardly, companies may simply hire more lawyers to reduce their legal exposure, rather than implement reforms that actually make their customers better off. The FTC should tread carefully so that it does not simply turn compliance into a check-the-box activity that merely drains company resources away from meaningful improvements in a company’s information security practices.
In addition, the FTC should set clear and reasonable standards for companies to adhere to. It is unfair to take a “blame the victim” approach and penalize companies that are hacked by malicious criminals if the company did not engage in negligent practices. As the Information Technology and Innovation Foundation has argued before, the FTC should recognize that misguided enforcement actions will discourage companies from taking risks necessary to pursue innovation. Actions resulting in consumer harm that arise from maleficence, negligence or neglect are significantly different from unintentional mistakes that occur in the course of doing business.
Therefore, in deciding when to take action and how much to penalize companies, the FTC should assess whether the company’s actions caused consumer harm and whether they were intentional or undertaken in good faith. Unintentional and harmless actions by companies should elicit a smaller penalty (or no penalty) compared to intentional or negligent actions that caused harm.
By making it riskier to ignore security best practices, the FTC will strengthen the hands of chief information-security officers and allow them to make a compelling case for investing in stronger information security in boardrooms around the country.
The court’s ruling is a good step forward for consumers, who have seen a spate of data breaches in this past year, including the exposure of financial data from as many as 56 million customers of Home Depot and the recent release of 30 million users of the website Ashley Madison.
Through targeted enforcement, the FTC can signal to the private sector that companies who are reckless with their customers’ data will face severe consequences, while simultaneously urging investment in top-of-the-line information-security protections to prevent future breaches.
Reprinted with permission from the September 7, 2015, edition of the National Law Journal© 2015 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 - [email protected] or visit www.almreprints.com.