One of the most hotly contested questions in the cyber domain (at least domestically) is whether or not the federal government should have a role in setting universal cybersecurity standards for critical American infrastructure. That was the ground for debate much of 2011 and 2012 in Congress.
The debate gave rise to a subsidiary question: If the federal government is going to set standards, which part of the government should be responsible? Some (the “hawks”) favored the National Security Agency. (This was before Edward Snowden became a household name.) Others (the “doves”) thought that civilian control through the Department of Homeland Security was the better course of conduct. But everyone seemed to agree that one of the federal government security agencies should be in charge of setting cybersecurity standards.
In our current system of government, though, things that make sense seldom become reality. It now seems that our cybersecurity standards are going to be set by a consumer protection organization—the Federal Trade Commission (FTC). The case that made this clear is Federal Trade Commission v. Wyndham Worldwide Corporation, a civil suit brought in the District of New Jersey by the FTC relating to a cybersecurity breach at Wyndham Hotels.
To understand how the case creates this new reality, we need to step back and understand the FTC. The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception—in other words, an argument that some consumer service organization (like, say Wyndham Hotels) had made representations to the public that were false. As you can imagine, allegations of that sort are often tied to particular circumstances and particular facts. The second ground for FTC enforcement is a broader one: that a company has engaged in “unfair” business practices. This means, in the words of the statute, that a company “caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.” In other words, that a company made a cost/benefit analysis to the detriment of consumers in a way that the FTC thinks is unreasonable.
The FTC suit against Wyndham is tied to a breach of Wyndham’s computer systems by a Russian criminal organization that, allegedly, resulted in the loss of more than $10 million due to fraud. Through the suit, the FTC is seeking a permanent injunction, directing Wyndham to fix its cyber systems so that they are more secure. The suit asserts both grounds for FTC jurisdiction. It first alleges that Wyndham’s privacy policy (how they maintain the security of information about their customers) is deceptive—that Wyndham made cybersecurity promises it couldn’t keep. The suit also alleges that, systematically, Wyndham’s failure to provide adequate cybersecurity for the personally identifiable information of its customers is an unfair business practice.
This type of lawsuit by the FTC is not unusual. These legal theories have been the foundation, for example, of the FTC’s investigation of Google, Twitter, and HTC, and its investigation of data breaches at large consumer companies like Heartland. In almost all of these cases, the FTC deploys some combination of the argument that a company has misled the public about the nature of its cybersecurity (“deception”) or that it has failed to invest adequately in cybersecurity measures (“unfair practices”). Until now, all of these actions have resulted in out-of-court settlements, leaving the validity of the FTC’s legal theories untested.
But in the Wyndham case, the FTC’s authority—and thus, the federal government’s authority—was questioned. Wyndham challenged the basic premise of the FTC’s suit, arguing that consumer protection statutes cannot be stretched to cover cybersecurity issues. Wyndham argued that the lawsuit exceeded FTC’s enforcement authority—a position supported by the Chamber of Commerce. In the absence of comprehensive cybersecurity legislation, the only effective method for cybersecurity regulation by the government has been through the FTC’s enforcement authority. This suit, in effect, tested whether the federal government could set any mandatory rules for protecting cyber networks.
Wyndham’s motion to dismiss the suit was decided the other day, and the FTC won. In sum, the court stated that cybersecurity can be an unfair business practice just like any other. So now, the FTC’s authority is clearer, and its efforts stand as the centerpiece of the federal program to compel the business community to adopt more stringent and effective cybersecurity measures. (I use “effective” here in a descriptive manner, as it is indisputable that the FTC’s efforts are having an effect. Whether, as a normative matter, those effects are good or bad is a different question.)
To be sure, the ruling goes only to the FTC’s authority to sue, not to the merits of the claim against Wyndham. But that’s the real heart of the case—as any good lawyer knows, losing the motion to dismiss is tantamount to defeat. Expect a settlement soon. More to the point, the ruling will empower the FTC on a broad scale. Cybersecurity legislation is still in the future and may never pass Congress—but now it may not matter.
It is especially odd, though, that new security standards will be based on a consumer protection law instead of, say, a national security law. That sort of result would have been impossible to predict, but it is the reality. The FTC has a legal hammer, and we can expect the agency to use it.