As Wells reported Monday, the Third Circuit has issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp. Readers may recall the background of the case. Wyndham was hacked by a Russian criminal gang who stole a host of personally identifiable information maintained by Wyndham for its customers -- everyone, essentially, who ever stayed at the hotel chain. The FTC brought a suit against Wyndham with two allegations -- one (not terribly controversial legally) that Wyndham had misrepresented its cyber security practices. The other (much more controversal legally) alleging that the failure to take adequate cybersecurity measures was an "unfair business practice" subject to regulation by the FTC. Wyndham's principal argument in court was that reading "unfair business practices" to include inadequate or unreasonable cybersecurity measures was a bridge to far and that, as a result, the FTC was acting ultra vires.
The Third Circuit decision is a resounding victory for the FTC. The court first determined that there was ample legal authority for the FTC to address cybersecurity practices as unfair. It then held, in a significant portion of the ruling, that the FTC's prior actions in respect of various consent decrees gave Wyndham ample notice of what constituted an inadequate program of cybersecurity (and, by inference, some indication of adequacy).
This opinion is likely to be the most consequential cybersecurity opinion of a court this year or for the near future. Here are some of the implications:
- All consumer facing American organizations currently subject to the FTC's general consumer protection jurisdiction are now subject to cybersecurity regulation by the FTC.
- The FTC does not, however, have to define adequate cybersecurity by rule or regulation or guidance -- it may provide adequate notice of what the law requires throught its enforcement process. Prior consent decrees will need to be consulted to determine what is required.
- Whatever that standard turns out, in the end, to be it is now a minimum standard that corporate America must follow.
- I predict that the same standard will gradually be imported into other areas where FTC regulation does not extend.
- For many corporations this new FTC minimum will also be the de facto maximum, since meeting FTC standards will likely prove a litigation safe harbor against anyone else.
All of this means that the FTC now owns cybersecurity in the private sector. Which is an odd result. One would surely have thought that DHS (or DoD or DOJ or even the Department of Commerce) would have had a more salient role in defining standards for the private sector. But somehow, we've converted a consumer protection mandate into a cybersecurity obligation and assigned that role to an independent agency. Candidly, I don't think the FTC is up to the task -- not in terms of staffing nor in terms of expertise -- but we will soon see how that turns out. Stay turned ...