FTC Has Authority to Enforce Corporate Cybersecurity

Up to now, there have been relatively few laws or regulations from government agencies that mandate just how companies should protect their data. In the United States, however, that may be about to change.

Earlier this week, the United States Court of Appeals for the Third Circuit decided in FTC v. Wyndham Worldwide Corp. that the Federal Trade Commission (FTC) had the authority under existing law to regulate the cybersecurity practices of businesses. This sets a precedent that could change how and why companies protect the information of their users. In the long term, it also sends a message: the FTC is keeping an eye on how companies secure their data, and will punish those who fail to do so.

To recap, the FTC is a body of the United States government that is mandated to enforce consumer protection laws via voluntary consent decrees, administrative complaints, or federal lawsuits. Historically, the FTC has concentrated what it considers to be unfair or deceptive business practices.

The FTC has been battling Wyndham (a global hotel conglomerate) since 2012, when the latter suffered a breach that led to the personal details of more than 600,000 guests being stolen. Wyndham alleged that the FTC’s authority did not extend to punishing the hotel chain for the breach. The court, however, disagreed.

In a very real way, this decision modernizes the authority of the FTC. It’s become clear that multiple large-scale breaches are as large a threat to consumers as the more pedestrian issues the FTC has handled in the past. However, this is not as unprecedented as one may think: the FTC has kept an eye on how tech companies implement security and privacy policies. For example, the FTC pointed out at this year’s Black Hat convention that they’d settled with Snapchat over how the latter handled messages and photos.

What does this mean for companies? Simply put, it means that promises of “security” and “privacy” can no longer can be glib phrases that, legally speaking, mean nothing. Instead, companies will actually have to make these promises happen, lest they be subject to an enforcement action that could cost millions. This raises proper cybersecurity from a nice to have thing (which, in many organizations, is still the case) to a must have item, in order to comply with the requirements of regulations. The FTC is watching for gross violations of cybersecurity and will punish those accordingly to set an example to others.

The US is not alone in this. European regulators have also been moving to impose regulations, albeit from a slightly different approach (data protection versus business practices). In the end, whatever the approach may be, this is welcome news that should help keep the personal data of consumers safe and secure.