The FTC has been taking upon itself in the past several years to become the ‘police’ of commercial cyber security. They have filed cases against a variety of companies related to lax security practices. The highest profile case was against Wyndam hotels, accusing them of maintaining insufficient security measures on their data, which allowed three separate breaches (by Russian hacker groups), costing approximately $10.6 million in fraudulent charges on the credit cards that were stolen.
Wyndam Hotels appealed a recent suit filed by the FTC. The defense used is that the FTC does not have the authority to regulate this type of security for a private company.
An appellate court ruled this week in the case, however, that the FTC has this authority. Wyndham’s spokesman commented on the ruling saying, “While we are disappointed by [Monday’s] opinion, we continue to contend the FTC lacks the authority ot pursue this type of case against American businesses and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security.”
Wyndam is just one of many companies that are arguing that the FTC is overstepping its bounds when attempting to regulate security. The FTC has a history of expanding their authority by simply taking action and then having the courts approve the authority after the fact. This, of course, is not the way the agency should be operating.
Michael Daugherty, CEO of LabMD said of this issue, “FTC wants to become the No. 1 self-appointed cyber security regulator. FTC is creating common law [around cyber security] – get the consent decree; build precedent; avoid the courts; mislead and stonewall congress; and play hero to the press.”
Just to be clear, the case against Wyndam is ongoing. This appeal was denied but it did not have any impact on whether or not Wyndam was guilty of any type of neglect with regards to their cyber security efforts.
This case may, however, push congress to take a closer look at how the FTC is assuming their authority and take some steps to either officially grant them authority in this area or reign them in.
Marketers at all levels will want to keep an eye on this situation as it could have a big impact on how cyber security is regulated in the future.
