In the wake of a federal appeals court’s decision giving the Federal Trade Commission authority to come down on companies with inadequate cybersecurity, legal observers said the lack of clear regulation and the FTC’s newfound power will mean a surge in lawsuits.
The decision spawned from a case before the U.S. Court of Appeals for the Third Circuit in which the court ruled that the Wyndham hotel chain, sued by the FTC, could be held responsible for three data breaches of its computer network that resulted in $10.6 million in fraudulent charges to customers’ credit cards.
The FTC’s authority to enforce in cybersecurity matters comes specifically from the court’s decision to give the commission latitude to determine what is considered an “unfair” trade practice.
Scott Vernick, a Philadelphia-based Fox Rothschild attorney who represents Fortune 500 companies in data breach matters, said the authority gained from the Third Circuit’s decision coupled with the lack of solid regulations governing cybersecurity means the FTC will be putting many more companies in its crosshairs.
This could affect the likes of Sony, Ashley Madison, Target and Home Depot, Mr. Vernick said, because “aside from the regulations put out by the credit card companies, for a broad swath of companies there are no regulations that you can look up” on software, firewalls and data encryption, to name a few areas.
While other industries — like health care, transportation and the financial sector — have more definitive regulations, Mr. Vernick said for most commercial entities, the FTC points to its past enforcement actions for guidance.
Furthermore, he said the FTC has no interest in establishing clear regulations because it has more flexibility to police cybersecurity without them.
However, the resolution of the Wyndham case will likely produce more specific guidance, especially if the FTC wants to win the case, according to Michael Sussmann, who focuses on consumer privacy litigation at Perkins Coie in Washington, D.C.
Mr. Sussmann said the FTC does tend to use the lack of clarity to its advantage, but in a case where Wyndham is not likely to back down and enter into a settlement, the FTC will have to enumerate at least some standards for cybersecurity practices geared toward companies that hold consumer data.
“There will be some de facto standard,” he continued. “It may not be comprehensive, but it should begin to answer the question of what is an unfair business practice when it comes to cybersecurity and consumer data.”
While it’s still possible for Wyndham to prevail, Mr. Sussmann said, “If the FTC gets a strong win, I suspect it’ll be open season because they have this defined jurisdiction.”
Roberta Anderson, the co-founder of K&L Gates’ cyberlaw practice group in Pittsburgh, said that as the FTC begins to more aggressively pursue companies, businesses should get ahead of the curve by becoming more savvy in becoming “cyber-resilient.”
In addition to protecting their customers’ data, companies can avoid regulatory scrutiny by investing time in researching best practices, Ms. Anderson said. However, it all comes back to the lack of concentrated information on standards.
David Katz, a partner at Nelson Mullins Riley & Scarborough and head of its privacy and information security practice group, told Legal affiliate Corporate Counsel that the FTC means business: “If you don’t train your employees to use strong passwords, the battle is lost right there.”
View the original content and more from this author here: http://ift.tt/1Osv7hm
from cyber security caucus http://ift.tt/1KjHkyV
via IFTTT
No comments:
Post a Comment