An appeals court handed the Federal Trade Commission a big victory this week in ruling that it could require companies to securely store customer data and then punish them if they failed to do so.
The ruling Tuesday was seen as a victory for consumer privacy, especially as companies collect increasing amounts of data about their users. However, it also caused some concern because the company the FTC sued argued that the agency had no clear standards for what constitutes reasonable cyber security and data protection measures. Could the FTC sue anyone?
In an article at Slate, Josephine Wolff, an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at Harvard’s Berkman Center for Internet and Society, suggests that the FTC should develop a “very detailed, specific, rigorous list of the most effective data security practices for companies.” She suggested that “anyone who failed to meet those standards could be held responsible.”
Yet she immediately acknowledged that such an idea is ridiculous given the changing nature of security threats and the differences in security standards required by different industries For example, your medical data should be more secure than your clothing preferences. But overall the tone of that article is one of frustration with the agency for applying nebulous standards to companies when it comes to safeguarding data.
The original case involved the Wyndham hotel chain, which the FTC sued for lapses in basic data security. Those lapses included storing customer credit card data in readable text, when using software from the vendor Micros Systems choosing to use “micros” as both the password and the user ID, and not having firewalls or any other form of security between its corporate network and the Internet. Despite deficiencies, Wyndham had told customers in a statement on its website that their data was safe. Perhaps in this case, it’s easy to say the FTC acted appropriately on behalf of the consumers’ whose data was stolen and sold to Russian hackers. Victims lost more than $10 million related to the breach.
However, criticizing the FTC for not having a list of easily defined rules here is like blaming an obnoxious three-year-old at a restaurant. It’s the parents — Congress that is — who should take the blame. Early this year, the FTC put out a report about privacy and security begging Congress to implement some sort of laws around data privacy.
So far efforts to get Congress to do anything have gone nowhere. So what we have is a regulatory agency that is now stuck with a broad standard that was originally created in 1914 and the then amended several times to prevent “unfair or deceptive acts or practices in or affecting commerce.” This phrase is the stick with which the FTC beat Wyndham arguing that the hotel chain’s practices when “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
The agency found Wyndham’s security practices so unreasonable, and thus unfair to the consumer and deceptive, because Wyndham said it guarded guests’ data. The court agreed. At Slate, Wolff’s worry is that it’s hard to define what the FTC will say is unreasonable, and that fact should concern businesses going forward. Wyndham certainly tried to argue that it was entitled to come sort of certainty.
However, that sort of certainty will be hard to come by absent a law.
The best we can hope for at the moment is an agency that is willing to continue taking action and is unafraid to fight for privacy in court as a way to create a series of rules via case law. Yes, it’s messy, but in the current era it seems to be where we are heading.
As for businesses wondering what it means if the FTC decides to promote better security practices with the threat of lawsuits, there is another reason to be concerned. The National Law Review wrote up an analysis of the Wyndham opinion saying that the financial harm to the consumers from the loss of their data in this case didn’t seem relevant:
While the FTC’s complaint did allege actual harm to consumers resulting from the Wyndham breaches in the form of over $10 million in fraudulent charges, this language could allow the FTC to continue bringing enforcement actions where no “actual” harm to consumers exists.
Which means companies dealing in data had better check their passwords and put up firewalls at a minimum.
For more about the FTC, watch this Fortune video: