NOTE: This post was originally published on September 17, 2015
A US appeals court has recently ruled that the Federal Trade Commission now has the authority to regulate corporations’ cybersecurity.
This means the FTC can tell corporations what measures they must take to protect their customers’ data, and it can levy criminal charges against corporations that don’t comply.
The case concerns Wyndham Worldwide Corp, which owns major budget hotel franchises like Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge. In 2008 and 2009, three security breaches resulted in 619,000 customers’ credit card details being leaked to hackers.
The damage? US$10.6 million in fraudulent charges.
No Opposition. None.
The unanimous decision by the Third US Circuit Court of Appeals in Philadelphia upheld the same ruling from a lower court made in April this year, which allows the FTC to move forward on its case. The ruling is the most high-profile win yet for the FTC when going after companies with deficient cybersecurity. The agency has brought forth such actions against corporations since 2005, but most end in settlements or consent orders and don’t really suffice as legal precedent.
The FTC won the case under the 1914 consumer protection law that led to the creation of the agency itself. The court said insufficient cybersecurity can be deemed unfair “if the practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
The ruling is a bit of a double-edged sword. On one hand, the FTC can now enforce stronger cybersecurity standards for corporations, in turn better protecting consumers. Companies must ensure that their privacy policies are accurate and, if they promise to safeguard information using industry standard practices, they must stay updated with those practices.
On the other hand, the exact standards are hazy. It’s now up to the FTC to determine what constitutes reasonable cybersecurity measures. Unfortunately, cybersecurity could be a space that evolves faster than the wheels of the government can turn. A set of standards laid out today could be insufficient tomorrow.
Many questions remain regarding the FTC’s newly awarded power. Who exactly will set cybersecurity standards? The government? A badge-awarding third-party alliance? Will small businesses be required to invest in the same levels of security as big corporations?