In August, the United States Court of Appeals Third Circuit ruled that the FTC has the authority to regulate the procedures and policies of cybersecurity as “unfair” according to Section 5 of the FTC Act.
In an effort to dismiss a complaint filed against the company by the FTC, Wyndham Hotels argued that the FTC did not have the proper authority to regulate its cybersecurity polices nor did it supply ample notice of expectations.
The Third Circuit Court granted the defendant’s appeal for their two grievances: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45 (a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.”
The result of the appeals process concluded with the Third Circuit Court finding that the FTC had authority under Section 5 and that the defendants had ample notice of the FTC expectations. The Court also found that fair notice was supplied, “as long as the company can reasonably foresee that a court could construe its conduct as falling within the meaning of the statute.”
However, the story does not end there. While the Third Circuit Court ruled in favor of the FTC and many held this as a big win for cybersecurity regulations, upon closer examination of the case a caveat exists for those businesses who maintain a “one-size-fits-all” cybersecurity regulation body is ineffective at this time because of the multiplicity of cybersecurity issues relating to a disparate body of businesses with an equal array of cybersecurity requirements and necessities for safety and risk assessment.
Under the “unfair practices” prong of the Federal Trade Commission Act the Third Circuit Court rejected the FTC’s claim that cyber-related case settlements or orders of consent with outside parties could be used as a standardized tests in which companies like Wyndham can be challenged on the “unfairness” of practices or procedures.
This rejection is a win for businesses with little recourse other than to yield to FTC’s requests for modified cyber-security practices and supervision under the “unfairness” prong of the FTC Act.
As this drama continues to unfold in the courts and throughout commerce worldwide, it is clear that while the FTC seeks to gain a more complete grasp of its regulatory capabilities in the cybersecurity realm the demand for greater understanding of “unfairness” expectations intensifies as the cybersecurity forefront expands into riskier territory.
For more information on the Third Circuit Courts decision regarding the Federal Trade Commission vs. Wyndham Worldwide Corporation visit this link: http://www2.ca3.uscourts.gov/opinarch/143514p.pdf