FTC Ruling Will Lead to More Cybersecurity Suits, Lawyers Say

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/latest-news/id=1202736524445/FTC-Ruling-Will-Lead-to-More-Cybersecurity-Suits-Lawyers-Say?mcode=13952623&slreturn=20150808165427

In the wake of a federal appeals court's decision giving the Federal Trade
Commission authority to come down on companies with inadequate
cybersecurity, legal observers said the lack of clear regulation and the
FTC's newfound power will mean a surge in lawsuits.

The decision spawned from a case before the U.S. Court of Appeals for the
Third Circuit in which the court ruled that the Wyndham hotel chain, sued
by the FTC, could be held responsible for three data breaches of its
computer network that resulted in $10.6 million in fraudulent charges to
customers' credit cards.

The FTC's authority to enforce in cybersecurity matters comes specifically
from the court's decision to give the commission latitude to determine what
is considered an "unfair" trade practice.

Scott Vernick, a Philadelphia-based Fox Rothschild attorney who represents
Fortune 500 companies in data breach matters, said the authority gained
from the Third Circuit's decision coupled with the lack of solid
regulations governing cybersecurity means the FTC will be putting many more
companies in its crosshairs.

This could affect the likes of Sony, Ashley Madison, Target and Home Depot,
Vernick said, because "aside from the regulations put out by the credit
card companies, for a broad swath of companies there are no regulations
that you can look up" on software, firewalls and data encryption, to name a
few areas.

While other industries, like health care, transportation and the financial
sector, have more definitive regulations, Vernick said for most commercial
entities, the FTC points to its past enforcement actions for guidance.

Furthermore, Vernick said the FTC has no interest in establishing clear
regulations because it has more flexibility to police cybersecurity without
them.

However, the resolution of the Wyndham case will likely produce more
specific guidance, especially if the FTC wants to win the case, according
to Michael Sussmann, who focuses on consumer privacy litigation at Perkins
Coie in Washington, D.C.

Sussmann said the FTC does tend to use the lack of clarity to its
advantage, but in a case where Wyndham is not likely to back down and enter
into a settlement, the FTC will have to enumerate at least some standards
for cybersecurity practices geared toward companies that hold consumer data.

"They're going to have to lay out what this is," Sussmann said.

"There will be some de facto standard," he continued. "It may not be
comprehensive, but it should begin to answer the question of what is an
unfair business practice when it comes to cybersecurity and consumer data."

While it's still possible for Wyndham to prevail, Sussmann said, "If the
FTC gets a strong win, I suspect it'll be open season because they have
this defined jurisdiction."

Steven Caponi, co-chair of Blank Rome's cybersecurity and data privacy
group in Wilmington, Delaware, also predicted that more FTC cases would pop
up in the aftermath of the Third Circuit's decision.

"Since the FTC seems intent on filling the void in the absence of a federal
regulation on cyberlitigation, in light of the Third Circuit decision, I
would anticipate an increase in enforcement actions by the FTC," Caponi
said.

But that decision still leaves companies in the dark about how to comply
with the FTC in terms of cybersecurity. Additionally, Caponi said that
since there are so many private enforcement actions undertaken by the FTC,
there is a dearth of precedent available for companies to draw from.

And because of the discretion given to the FTC by the court in determining
what standards, if any, to articulate, Caponi said, "it's going to be
something that's going to be developed over time. Given the FTC's response,
they'll clearly want the flexibility of not having everything written out
in concrete terms."

"I think there does need to be clarity," he continued. "I think the threat
is evolving very rapidly and the technology is evolving very rapidly, and
given that it takes the federal government a long time to develop
regulations," once those regulations are cemented, the threat has already
evolved past the regulations. This leaves the government consistently
playing catch-up.

Roberta Anderson, the co-founder of K&L Gates' cyberlaw practice group in
Pittsburgh, said that as the FTC begins to more aggressively pursue
companies, businesses should get ahead of the curve by becoming more savvy
in becoming "cyber-resilient."

In addition to protecting their customers' data, companies can avoid
regulatory scrutiny by investing time in researching best practices,
Anderson said. However, it all comes back to the lack of concentrated
information on standards.

"I think that this is still a space where companies are trying to get their
arms around many things surrounding cybersecurity, including what to do in
the event of a breach and dealing with regulatory exposure. There's a real
hunger for knowledge, including how you deal with the FTC and state
attorneys general and the other cops walking the block," Anderson said.

She added, "In the absence of promulgated regulations, companies really do
have to cobble what's available in the public domain."

David Katz, a partner at Nelson Mullins Riley & Scarborough and head of its
privacy and information security practice group, told Legal affiliate
Corporate Counsel that the FTC means business: "If you don't train your
employees to use strong passwords, the battle is lost right there."

Katz noted that companies in situations similar to Wyndham should emphasize
their compliance with industry standards.

"I think you have to be able to make a credible argument that the controls
you have in place are consistent with best practices and consistent with
nationally and internationally recognized data security standards," Katz
noted.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!