In a widely anticipated opinion, the Third Circuit on August 24, 2015, left no doubt about the Federal Trade Commission’s (FTC) authority to prosecute cybersecurity actions. The Court determined in FTC v. Wyndham1 that:
-
The FTC could prosecute cybersecurity cases under the unfair or deceptive acts provisions of The Federal Trade Commission Act (FTCA)
-
The FTC’s past investigations and publications (and the statute itself) provided sufficient notice to businesses of potential liability under the Act
In short, the era of FTC investigations of and enforcement actions against businesses relating to the implementation and execution of appropriate cybersecurity protection measures is here.
Facts
The Wyndham case arose from multiple cybersecurity breaches suffered by Wyndham Worldwide Corporation in 2008 and 2009. The FTC brought an action against Wyndham contending that it engaged in unfair cybersecurity practices that “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Specifically, the FTC charged that the defendant:
-
Improperly stored payment card information
-
Allowed the use of easily guessed passwords to access property management systems
-
Failed to use available security measures such as firewalls
-
Failed to implement cybersecurity policies and procedures (including the use of an obsolete operating system)
-
Failed to maintain an adequate inventory of computers connected to its network
-
Failed to restrict access to cyber information
-
Failed to institute measures to detect and prevent unauthorized access
-
Failed to follow proper incident response procedures
Unfairness
The defendant argued that cybersecurity practices could not be determined to be unfair under the FTCA. The Court found that a determination by the FTC that a particular practice “causes substantial injury to consumers” was sufficient to be deemed unfair. The FTC also made short work of the defendant’s argument that an unfair practice also must be inequitable, noting that “[a] company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.” Wyndham, p. 17. The Court also noted that unfair acts might include deceptive acts under the statute and that such claims “may be brought on the basis of likely, rather than actual, injury.”
Notice
Having determined that the FTC has the authority to prosecute cases regarding cybersecurity issues, the Court next turned to whether the defendant received proper notice of its potential liability under the FTCA. The Third Circuit confirmed that proper notice had been given because the FTC had frequently publicized its beliefs that cybersecurity practices could be determined unfair under the statute through public statements, publicized prosecutions and investigations, the FTC’s website, and the Federal Register. Further, the Court held that because the statute was civil rather than criminal, the standards for fair notice are lax. The less stringent standards were held particularly applicable where the statute regulates economic issues. The Court found that “[f]air notice is satisfied here as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”
View the original content and more from this author here: http://ift.tt/1JIOfBv
from cyber security caucus http://ift.tt/1JIO9d8
via IFTTT
No comments:
Post a Comment