Bad Data Security Practices Can Lead to FTC Punishment
Federal Appeals Court Says FTC has Authority to Regulate Data Security Practices
MFT Nation has written before about the FTC vs. Wyndham Worldwide Corp. case. The FTC sued Wyndham after three separate hacking incidents led to more than $10 million in fraud losses for customers. Wyndham allegedly did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
In our previous posts we did not address a corollary issue raised by the FTC vs. Wyndham case–whether companies that fail to provide customers with reasonable data security protections can be punished by federal regulators. Earlier this week, a federal appeals court confirmed that the FTC can punish companies for unreasonable data security practices. The appeals court ruling is interesting on several levels, but for purposes of this post, I want to share some of the humorous and biting ways the court dealt with some of Wyndham’s arguments.
Reductio Ad Absurdum Invites a Tart Retort
For example, Wyndham asserted that a business shouldn’t be held liable if “the business itself is victimized by criminals.” Basically, Wyndham tried to deflect attention from its alleged wrongdoing by pointing the finger at another wrongdoer, the hackers. Wyndham suggested that if it can be held liable in such circumstances, then the FTC could conceivably sue supermarkets that are “sloppy about sweeping up banana peels.” I kid you not; Wyndham actually proffered this argument.
The appeals court had fun with it, though, describing the argument as reductio ad absurdum. For non-lawyers and those who don’t speak Latin, the court is telling Wyndham that its argument is absurd. And the court used the banana peel analogy to explain the absurdity of Wyndham’s argument: “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.” Generally speaking, you’re not doing well when the court feels your argument “invites a tart retort.”
In Some Instances, the Third Time Isn’t a Charm
Wyndham also argued that it was not given adequate notice of “what specific cybersecurity practices are necessary to avoid liability.” To this argument, the court quickly offered another tart retort: “We have little trouble rejecting this claim.” The court explained:
As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.
In other words, Wyndham’s practices would fail under any cybersecurity standard imposed by the FTC. And the court went on to say that Wyndham’s case was made “even weaker given it was hacked not one or two, but three times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed.”
Beaten by Not Broken
What did Wyndham say about the ruling? It remained defiant, saying that ultimately “the facts will show the FTC’s allegations are unfounded.” But in a more conciliatory tone, Wyndham did acknowledge that “safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
Stay tuned to MFT Nation for further developments in the FTC vs. Wyndham case, as well as others affecting the world of data security.