Two years ago, I met a relative of a friend at a Thanksgiving dinner party. He was a prominent plaintiff’s attorney at a NJ law firm one might recognize from their personal injury commercials; my friend told me previously that he’d done quite well for himself over the years. At my urging – I get bored quickly at formal dinner parties and constantly search for a distraction – he told me about a case he was working on. A couple parked their car in a parking garage and went to dinner. Upon their return, they were assaulted and robbed. My new friend told me he was suing the owner of the parking garage. I challenged the logic by naively suggesting that the individuals responsible for the couple’s damages were the criminals who attacked them. His response: the criminals don’t have any money.
And in that one sentence, I realized that the legal community, over time, has successfully separated responsibility from liability, logic from profit, common sense from civil law. Now, the Federal Trade Commission (FTC) is following that lead as data breach civil law evolves rapidly. Since they can’t catch and punish the bad guys that are committing the breaches, they’re concentrating their substantial regulatory firepower on breach victims. Case in point, Wyndham Hotels.
Wyndham suffered multiple breaches between 2008 and 2010, resulting in over 600,000 stolen customer credit cards. In April 2010, the Federal Trade Commission – “the self-proclaimed principal federal cybersecurity regulator”– launched an investigation of Wyndham to determine “whether Wyndham’s information security practices comply with Section 5 of the FTC Act, which prohibits deceptive or unfair acts or practices.”
Let’s take a minute to unpack that statement, starting with a short history lesson. The FTC was created in 1914, its primary mission to enforce the Clayton Act, a follow-up to the more memorable Sherman Act that was designed to combat the monopolies of the time. The relevant law under which the FTC claimed authority to investigate Wyndham – Section 5 of the FTC Act – prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’
You read that correctly: the FTC subjected Wyndham Hotels to a costly investigation and legal battle – that is just now being resolved – on the basis of a 100-year-old law written originally to break up Standard Oil and US Steel when they each held over 90% market share.
Wyndham has fought the efforts of the FTC for 5 years, arguing, among other positions, that the FTC doesn’t have the congressional authority to regulate cyber security on the basis of a law written at a time when Tsar Nicholas II was leading Russia into World War I, and opium and cocaine were still legal in the United States.
A well-written legal discussion of Wyndham’s arguments and the basis under which the Courts rejected them can be found in this article: https://www.teachprivacy.com/ftc-authority-enforce-data-security-ftc-wyndham-worldwide/. The bottom line, however, is that Wyndham challenged the FTC’s authority to regulate private enterprise cyber-security practices, and it lost…badly. In the Wyndham case, the Courts have granted their imprimatur to the notion that the Federal Government – and the FTC more specifically – can leverage a law written at a time when less than 20% of American households had indoor plumbing to regulate a 21st-century technology industry.
The short answer is that they feel they have no other choice right now, as cyber security legislation written in this century has been perennially stalled in Congress. As high-profile breaches proliferate – and the sources of those breaches are increasingly funded by our nation’s enemies, not rogue hackers – Congress may be on the verge of finally addressing this issue legislatively.
We’ll dive into the recent, tortured history of cyber security legislation next. Stay tuned.
“Wyndham – A Case Study in Cybersecurity: How the cost of a relatively small breach can rival that of a major hack attack.” Timothy Cornell, Clifford Chance US LLP, March 19, 2015
 FTC Act, Section 5: https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf