Responsibility for data privacy and cybersecurity causes anxiety and sleep deprivation for chief information officers, general counsels and CEOs for good reason. Virtually every day, headlines recount the miseries of a newly hacked company. What are the standards, expectations and legal liabilities for corporations confronting this risky new environment?
The U.S. Court of Appeals for the Third Circuit's closely watched Wyndham decision answers some of those questions, and the answers are likely to raise the anxiety level.
Everyone concerned with cybersecurity issues watched closely as hotel giant Wyndham Worldwide Corp. brought its challenge of the Federal Trade Commission's authority to regulate data privacy and cybersecurity. The short description of that opinion is that the Third Circuit supported broad FTC authority to investigate, set standards and punish violations.
The FTC has historically brought enforcement actions in the cybersecurity space under Section 5 of the FTC Act granting it the authority to regulate "unfair or deceptive" acts or trade practices.
Given the broad scope of activities that may fall under the rubric of "unfair or deceptive" acts, the FTC has exercised significant latitude in bringing such actions. The FTC argues that companies make promises to consumers to safeguard their information and limit themselves to using consumer information in certain ways.
If they fail to meet those promises or are negligent in protecting information, they have engaged in "unfair or deceptive" practices. Those violations may include failing to encrypt consumer credit card numbers, selling email lists when a company promised not to, or having a weak password policy that exposes consumer data to hackers and evildoers everywhere.
Decree Guidance
Although the FTC has been bringing such actions for quite some time, the vast majority were resolved by way of consent decrees—essentially settlements between the FTC and the target company that set forth the consequences for the company's shortcomings.
These consent decrees describe the allegedly wrongful or deficient conduct and then spell out the remedial measures—from fines to third party monitoring of data use practices to requiring changes to address deficiencies in networks and password policies. Although consent decrees are applicable only to the target company, the body of consent decrees created what commentators have called a common law of privacy.
Many companies chose to use those consent decrees as suggested guidelines for their cybersecurity practices while others did not. We now know that those companies that ignored the consent decrees did so at their peril.
The Wyndham case arose from several hacking incidents and Wyndham's failure to adequately protect its networks and consumer data in a manner that would have either prevented those hacks or minimized their impact. Among Wyndham's mistakes, it stored payment card information in readable text, had inadequate password policies, had inadequate firewalls and monitoring of internet connections, failed to conduct security investigations and monitor for malware, and it failed to act after having been hacked initially which left it wide open to subsequent hacks. It was the combined set of shortcomings that led the court to conclude that Wyndham had engaged in cybersecurity practices that "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." And it bears mentioning that the court also found that Wyndham's stated privacy policy was deceptive.
Starting Point
In this case, Wyndham also argued that the FTC's action could not stand because it failed to provide notice to Wyndham of standards defining reasonable data privacy and cybersecurity practices.
The court rejected that argument and found that the prior consent decrees offered fair notice about the type of practices and conduct that the FTC deems to be "unfair or deceptive." This conclusion makes clear that the FTC's consent decree, which are published and available to the public, are a good starting point for companies looking to develop or refine their policies and practices in the data privacy and cybersecurity area. So what does this mean? In English? It means that companies are subject to FTC enforcement actions for failing to meet the cybersecurity standards that it deems appropriate to safeguard consumer information.
There is, however, no definitive guide that provides exacting standards that companies should implement. Executives tasked with cybersecurity within their companies should familiarize themselves with the body of FTC consent decrees publicly available on its website and monitor new actions being filed to better understand the evolution of what the FTC thinks is appropriate.
With technology evolving very rapidly, the FTC's views on cybersecurity are likely to evolve with it. The first order of business for any corporation that maintains sensitive data—which is almost every corporation—must be to assess its cybersecurity practices and compliance in light of the evolving and complex regulatory environment that is the reality after Wyndham.
This article appeared in the Daily Business Review on September 22, 2015, and is reprinted with permission.