The Federal Trade Commission (FTC) is very active and interested in data breaches and other cyber security incidents. The federal government and many state governments are slowly adding legislation that specifically addresses issues of cyber security and data breach reporting, but while those efforts slowly produce narrowly focused legislation, the FTC is trail blazing by using its existing and broad authority to regulate unfair business practices. 1)See 15 USC § 45(a). Using this broad authority granted by congress over a century ago, the FTC is actively bringing regulatory actions and filing suits against companies whose cyber security practices are inadequate and result in data breaches. These actions often result in consent decrees which have long term consequences for the companies that settle with the commission. Occasionally, a company will dig in for an extended legal battle. One such case is the FTC v. Wyndham action which recently produced an appellate decision from the Third Circuit which has significant implications for cyber security practices. 2)See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).
I read Court opinions so you don’t have to, thus this post will discuss (1) a brief summary of the Wyndham data breaches, (2) the FTC’s authority under the “unfairness” prong, and (3) the importance of the Third Circuit opinion as a contour of likely future FTC actions. I will conclude by discussing future liability concerns in the wake of data breaches especially in the context of the FTC.
WYNDHAM DATA BREACHES
In the FTC’s complaint, it lays out what it contends are the salient facts behind three data breaches of Wyndham’s networks. 3)See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1. Essentially, the systems in question consist of (1) the terminals at the hotels (“Property Management System”), (2) servers in a datacenter located in Phoenix, AZ (“Central Reservation System”), and (3) connections between the local hotel network and the Wyndham corporate networks. 4)Id. at ¶¶ 14-9. (more…)
References [ + ]
|1.||↑||See 15 USC § 45(a).|
|2.||↑||See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).|
|3.||↑||See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1.|
|4.||↑||Id. at ¶¶ 14-9.|