BreachExchange mailing list archives
FTC Ruling Will Lead to More Cybersecurity Suits, Lawyers Say
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 8 Sep 2015 19:29:45 -0600
http://www.thelegalintelligencer.com/latest-news/id=1202736524445/FTC-Ruling-Will-Lead-to-More-Cybersecurity-Suits-Lawyers-Say?mcode=13952623&slreturn=20150808165427 In the wake of a federal appeals court's decision giving the Federal Trade Commission authority to come down on companies with inadequate cybersecurity, legal observers said the lack of clear regulation and the FTC's newfound power will mean a surge in lawsuits. The decision spawned from a case before the U.S. Court of Appeals for the Third Circuit in which the court ruled that the Wyndham hotel chain, sued by the FTC, could be held responsible for three data breaches of its computer network that resulted in $10.6 million in fraudulent charges to customers' credit cards. The FTC's authority to enforce in cybersecurity matters comes specifically from the court's decision to give the commission latitude to determine what is considered an "unfair" trade practice. Scott Vernick, a Philadelphia-based Fox Rothschild attorney who represents Fortune 500 companies in data breach matters, said the authority gained from the Third Circuit's decision coupled with the lack of solid regulations governing cybersecurity means the FTC will be putting many more companies in its crosshairs. This could affect the likes of Sony, Ashley Madison, Target and Home Depot, Vernick said, because "aside from the regulations put out by the credit card companies, for a broad swath of companies there are no regulations that you can look up" on software, firewalls and data encryption, to name a few areas. While other industries, like health care, transportation and the financial sector, have more definitive regulations, Vernick said for most commercial entities, the FTC points to its past enforcement actions for guidance. Furthermore, Vernick said the FTC has no interest in establishing clear regulations because it has more flexibility to police cybersecurity without them. However, the resolution of the Wyndham case will likely produce more specific guidance, especially if the FTC wants to win the case, according to Michael Sussmann, who focuses on consumer privacy litigation at Perkins Coie in Washington, D.C. Sussmann said the FTC does tend to use the lack of clarity to its advantage, but in a case where Wyndham is not likely to back down and enter into a settlement, the FTC will have to enumerate at least some standards for cybersecurity practices geared toward companies that hold consumer data. "They're going to have to lay out what this is," Sussmann said. "There will be some de facto standard," he continued. "It may not be comprehensive, but it should begin to answer the question of what is an unfair business practice when it comes to cybersecurity and consumer data." While it's still possible for Wyndham to prevail, Sussmann said, "If the FTC gets a strong win, I suspect it'll be open season because they have this defined jurisdiction." Steven Caponi, co-chair of Blank Rome's cybersecurity and data privacy group in Wilmington, Delaware, also predicted that more FTC cases would pop up in the aftermath of the Third Circuit's decision. "Since the FTC seems intent on filling the void in the absence of a federal regulation on cyberlitigation, in light of the Third Circuit decision, I would anticipate an increase in enforcement actions by the FTC," Caponi said. But that decision still leaves companies in the dark about how to comply with the FTC in terms of cybersecurity. Additionally, Caponi said that since there are so many private enforcement actions undertaken by the FTC, there is a dearth of precedent available for companies to draw from. And because of the discretion given to the FTC by the court in determining what standards, if any, to articulate, Caponi said, "it's going to be something that's going to be developed over time. Given the FTC's response, they'll clearly want the flexibility of not having everything written out in concrete terms." "I think there does need to be clarity," he continued. "I think the threat is evolving very rapidly and the technology is evolving very rapidly, and given that it takes the federal government a long time to develop regulations," once those regulations are cemented, the threat has already evolved past the regulations. This leaves the government consistently playing catch-up. Roberta Anderson, the co-founder of K&L Gates' cyberlaw practice group in Pittsburgh, said that as the FTC begins to more aggressively pursue companies, businesses should get ahead of the curve by becoming more savvy in becoming "cyber-resilient." In addition to protecting their customers' data, companies can avoid regulatory scrutiny by investing time in researching best practices, Anderson said. However, it all comes back to the lack of concentrated information on standards. "I think that this is still a space where companies are trying to get their arms around many things surrounding cybersecurity, including what to do in the event of a breach and dealing with regulatory exposure. There's a real hunger for knowledge, including how you deal with the FTC and state attorneys general and the other cops walking the block," Anderson said. She added, "In the absence of promulgated regulations, companies really do have to cobble what's available in the public domain." David Katz, a partner at Nelson Mullins Riley & Scarborough and head of its privacy and information security practice group, told Legal affiliate Corporate Counsel that the FTC means business: "If you don't train your employees to use strong passwords, the battle is lost right there." Katz noted that companies in situations similar to Wyndham should emphasize their compliance with industry standards. "I think you have to be able to make a credible argument that the controls you have in place are consistent with best practices and consistent with nationally and internationally recognized data security standards," Katz noted.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- FTC Ruling Will Lead to More Cybersecurity Suits, Lawyers Say Audrey McNeil (Sep 09)