FTC Consent Decrees Are Best Guide to Cybersecurity Policies
Daily Business Review
By Jon L. Mills and Pedro M. Allende, September 22, 2015
Responsibility for data privacy and cybersecurity causes anxiety and sleep deprivation for chief information officers, general counsels and CEOs for good reason. Virtually every day, headlines recount the miseries of a newly hacked company. What are the standards, expectations and legal liabilities for corporations confronting this risky new environment?
The U.S. Court of Appeals for the Third Circuit's closely watched Wyndham decision answers some of those questions, and the answers are likely to raise the anxiety level.
Everyone concerned with cybersecurity issues watched closely as hotel giant Wyndham Worldwide Corp. brought its challenge of the Federal Trade Commission's authority to regulate data privacy and cybersecurity. The short description of that opinion is that the Third Circuit supported broad FTC authority to investigate, set standards and punish violations.
The FTC has historically brought enforcement actions in the cybersecurity space under Section 5 of the FTC Act granting it the authority to regulate "unfair or deceptive" acts or trade practices.
Given the broad scope of activities that may fall under the rubric of "unfair or deceptive" acts, the FTC has exercised significant latitude in bringing such actions. The FTC argues that companies make promises to consumers to safeguard their information and limit themselves to using consumer information in certain ways.
If they fail to meet those promises or are negligent in protecting information, they have engaged in "unfair or deceptive" practices. Those violations may include failing to encrypt consumer credit card numbers, selling email lists when a company promised not to, or having a weak password policy that exposes consumer data to hackers and evildoers everywhere.
Although the FTC has been bringing such actions for quite some time, the vast majority were resolved by way of consent decrees—essentially settlements between the FTC and the target company that set forth the consequences for the company's shortcomings.
These consent decrees describe the allegedly wrongful or deficient conduct and then spell out the remedial measures—from fines to third party monitoring of data use practices to requiring changes to address deficiencies in networks and password policies. Although consent decrees are applicable only to the target company, the body of consent decrees created what commentators have called a common law of privacy.
Many companies chose to use those consent decrees as suggested guidelines for their cybersecurity practices while others did not. We now know that those companies that ignored the consent decrees did so at their peril.
In this case, Wyndham also argued that the FTC's action could not stand because it failed to provide notice to Wyndham of standards defining reasonable data privacy and cybersecurity practices.
The court rejected that argument and found that the prior consent decrees offered fair notice about the type of practices and conduct that the FTC deems to be "unfair or deceptive." This conclusion makes clear that the FTC's consent decree, which are published and available to the public, are a good starting point for companies looking to develop or refine their policies and practices in the data privacy and cybersecurity area. So what does this mean? In English? It means that companies are subject to FTC enforcement actions for failing to meet the cybersecurity standards that it deems appropriate to safeguard consumer information.
There is, however, no definitive guide that provides exacting standards that companies should implement. Executives tasked with cybersecurity within their companies should familiarize themselves with the body of FTC consent decrees publicly available on its website and monitor new actions being filed to better understand the evolution of what the FTC thinks is appropriate.
With technology evolving very rapidly, the FTC's views on cybersecurity are likely to evolve with it. The first order of business for any corporation that maintains sensitive data—which is almost every corporation—must be to assess its cybersecurity practices and compliance in light of the evolving and complex regulatory environment that is the reality after Wyndham.
This article appeared in the Daily Business Review on September 22, 2015, and is reprinted with permission.
Related Practice: Privacy, Cybersecurity & Technology
External Link: Read article here