The recent decision of the Federal Trade Commission v. Wyndham Worldwide Corporation reflected, for the first time, a court’s view on the Federal Trade Commission’s (FTC’s) authority to regulate cybersecurity under the Federal Trade Commission Act. The court concluded that (1) the FTC does have the authority to regulate cybersecurity under its authority in Section 5 of the FTC Act to address unfair trade practices regardless of the existence of any other cybersecurity law or regulation, (2) that the FTC does not need to issue regulations prescribing cybersecurity practices prior to taking action under Section 5, (3) that sufficient potential injury was demonstrated to initiate such an action, and (4) that Wyndham statements of its cybersecurity practices prior to the breach were sufficient for the FTC to initiate an action under Section 5 for unfair trade practices. This initial decision was only the first step as it dealt with Wyndham’s motion to dismiss, so actually proving that Wyndham was in violation of Section 5 will require more litigation if a settlement is not reached first. But the case is significant because in all prior cases that have been publicly reported, where the FTC has found a violation, the organization has settled with the FTC and agreed to some sort of consent decree that acknowledged its deficiencies, committed to improvements, and agreed to some period of enhancing monitoring by the FTC to demonstrate continued compliance.
In response to this decision, I recently commented to some of my friends in the legal profession that this decision could give the FTC a “huge authority” to more aggressively pursue organizations that it believes are not implementing appropriate cybersecurity practices despite the absence of any clear guidance of what those practices should be. I was quickly admonished that the decision merely validated the actions the FTC had been taking for several years and did not grant it any new authority. One person suggested that the FTC does not have a track record of being particularly aggressive in these matters and tends to exercise its authority in the most egregious cases (or perhaps the ones receiving the most media attention). While I may have been a little flippant in suggesting that the FTC has a whole new mandate, I certainly agree that the decision did not change the status quo from a legal perspective. The court, in my opinion, made the correct decision. However, law and politics are two different animals, and court decisions validating an approach have a tendency to boost morale and stimulate further activity. And in a world where the president is looking for more ways to leverage existing executive authority to take regulatory actions, these court decisions could make a difference. In reality, organizations like the FTC face a bigger challenge than legal authority, which is rather broad. Instead, it is constrained by the limited resources to investigate suspected violations. Consequently, it is unlikely that the FTC will pursue matters more proactively, such as conducting audits prior to breaches. Instead, it will likely continue pursuing high-profile cases in the hopes that its deterrent effect will inspire others to improve their cybersecurity. Given the potential for lawsuits and payment card industry (PCI) investigations in response to high-profile breaches, one wonders whether such actions by the FTC are the best use of its resources.
While the FTC may not be a sleeping giant about to awake and rid our nation of poor cybersecurity practices, the wisdom of their model is still up for debate. As I’ve remarked before, government’s track record in using its regulatory power to reduce cybersecurity risks is dubious at best. It tends to treat cybersecurity like a building code that can remain static over time. And while the FTC is not proposing a framework they can regulate against, their efforts still miss the mark. Government ‘s cybersecurity efforts should focus on catching and punishing the hackers intent on breaking our laws, funding research on cybersecurity innovation, facilitating information sharing, and disseminating specific examples of cybersecurity solutions that work (e.g., regular patching, application whitelisting, predictive analytics, removal of administrator rights). The best regulators are the ones that constantly challenge those they regulate to constantly innovate and not dwell on a framework that too easily leads to a security monoculture and a safe harbor mentality. As my article on TJ Hooper notes, the definition of reasonable prudence evolves over time, particularly where your adversaries are sentient actors who have no reason to fear apprehension. Let’s focus on protecting the things that matter rather than implementing minimal controls to protect things that matter less and simply drive up costs.