Recently we wrote about the legal risks in
overpromising your ability to protect electronic data
you obtain from your customers. As one major (you’re probably
a member) social networking site learned, promising “industry
standard” cybersecurity can be a huge mistake if the standard
evolves after you make the initial promise, yet you fail to evolve.
If a court accepts the premise that your customers chose to deal
with you because you said you would protect them from
computer-based fraud, you could wind up in trouble when the
promised protection fails.
That risk of failing to deliver was underscored August 24 when a
federal appeals court in Philadelphia
upheld the Federal Trade Commission’s authority to pursue
regulatory enforcement actions against the victim
of a major cyber-attack.
Say Again?
Hospitality company Wyndham Worldwide franchises and manages
hotels under several well-known brand names. Each branded hotel
uses computerized property management systems configured to
Wyndham’s specifications. The systems include a variety of
information about guests, including payment card information.
Over about a year, hackers connected to Russia broke into several
of these systems, stole information for more than 500,000 accounts,
and caused more than $10 million in fraudulent charges.
The Federal Trade Commission sued Wyndham, claiming its online
privacy policy promising to “safeguard our customers’
personally identifiable information” using “industry
standard practices” was deceptive. Contrary to this policy,
Wyndham did not use encryption, firewalls, and other commercially
reasonable methods for protecting consumer data.
A lower court refused to dismiss the case. The question before the
Court of Appeals panel was whether the FTC has authority to
regulate cybersecurity under a section of federal law that
prohibits “unfair” acts or practices affecting
commerce. The panel answered with a resounding “yes.”
In addition, the judges rejected Wyndham’s claim that the FTC
complaint failed to “spell out what specific cybersecurity
practices . . . actually triggered the alleged violation.”
The opinion outlines several cybersecurity failures the FTC had
cited in its complaint, noting these were issues the agency had
brought up in earlier complaints against another business.
Enforcement Activity Likely to Increase
Since 2005 the FTC has brought administrative enforcement
actions against companies with allegedly defective cybersecurity
that failed to protect consumer data against hackers. It’s
critical to note that these actions relate more to promises
about security than defects in security. Thus, it is a mistake
to assume that the federal government has its hands full with
security failures
in its own systems and won’t pursue
regulatory enforcement actions against businesses victimized by the
same hackers that also attack the government. Also, while the
Wyndham court was not ruling on the merits of the FTC’s
complaint, its nod to the FTC’s description of unreasonable
cybersecurity practices is important. Without comprehensive
federal cybersecurity standards, a company’s legal
responsibilities will continue to be forged by judge-made common
law. (We’ve discussed this
before in connection with security guidance principles
published by federal banking regulators.)
The main thing to remember is the Wyndham decision is
likely to influence not only lower federal courts, but also the
FTC’s own appetite for pursuing businesses that claim broad
privacy policies but fail to back them with robust security.
Check Your Protection Plan
Whatever your business, if you handle personally identifiable
information, credit cards or any other form of electronic payments,
especially for consumers, it is critical to review your
cybersecurity and privacy policies, in light of your actual
business practices. A member of SKO’s
Privacy and Information Security practice can advise in this
effort.
Cyber intrusions may seem inevitable, but with proper legal
planning the fallout does not have to include being hauled before
the FTC.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.