We've been hearing a lot of security data breaches lately -- some would say too much. From the Target and Neiman Marcus debacle to last week's Heartbleed bug, we now know why cybersecurity is on the minds of general counsel not just in the U.S., but worldwide.
Based on a recent district court decision, the data breach itself may be the least of a company's problem. What may be worse is not only the media and consumer fallout, but the possibility of FTC enforcement actions, and private litigation.
Please pass the Advil.
Federal Trade Commission v. Wyndham Worldwide Corporation, et al.
In FTC v. Wyndham, the FTC sued Wyndham because between 2008 and 2010, hackers gained access to Wyndham's computer network and stole Wyndham customer' payment information. The FTC claimed alleged that the data breach "violated Section 5(a)'s prohibition of 'acts or practices in or affecting commerce' that are 'unfair' or 'deceptive.'" Normally companies settle with the FTC, but here, Wyndham decided to fight back, challenging the FTC's authority to bring such an action, reports Corporate Counsel. That's where the trouble started.
Last week, Judge Salas, of the District Court for the District of New Jersey found that the FTC does indeed have authority under Section 5(a) of the Federal Trade Commission Act, stating "the FTC's unfairness authority over data security can coexist with the existing data-security regulatory scheme." The court did not get to the merits of the case, but merely refused to dismiss the case on the pleadings. Whether Wyndham will settle, or risk trial is yet to be determined.
Although Wyndham argued that there was no precise guidance from the FTC and this lack of guidance violated fair notice principles, the court did not agree. It seemed persuaded by FTC that in "the data-security context, 'reasonableness is the touchstone' and that 'unreasonable data security practices are unfair,'" leaving the door open for claims like this to be decided on a case by case basis.
How to Protect Your Company
Some attorneys have analyzed the impact of the Wyndham case and argue that as a result, "Companies should look to the patchwork of FTC views expressed in consent orders, speeches by FTC leadership, and public workshops, as well as industry publications, to identify prudent security measures." Furthermore, they caution that "companies should take care to ensure that general promises to use 'industry standard' or 'commercially reasonable' protective measures reflect specific investments in data security technologies."
Of course, this case is on the district court level, so we don't know if courts in other circuits will agree, or how aggressively the FTC will prosecute security data breaches as unfair and deceptive business practices, or whether there will be an avalanche of private litigation. But we do know that all of these are definite possibilities, and as in-house counsel you must prepare and protect your company.
Enjoy the latest legal news from our blogs? Keep up with the latest legal docs on Scribd.
- National Cyber Security Awareness Month: Resources and Tips (FindLaw's In House Blog)
- 5 Ways In-House Counsel Can Improve Vendor Cybersecurity (FindLaw's In House Blog)
- Are Hackers Silently Listening in on Your Videoconferences? (FindLaw's In House Blog)