An appellate court ruling Monday affirmed the Federal Trade Commission's role in policing the cybersecurity of commercial companies, a role some have argued is an overreach of the regulator's authority.
One such claim came from Wyndham Hotels and Resorts, which filed the appeal earlier this year contesting a FTC suit that claimed the hotel chain misrepresented its ability to keep customer data secure. Monday's ruling upheld the FTC's assertion that it had standing to bring a case against Wyndham.
According to the FTC, Wyndham hotels maintained insufficient cybersecurity measures, leading to three significant breaches in 2008 and 2009 attributed to Russian hackers. The result was some $10.6 million in fraudulent charges on stolen customer accounts.
Despite this, the hotel chain touted strong security for its guests, including a message on its website that stated, "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our websites and members participating in our Loyalty Program."
Wyndham said its security practices included encrypting customer information behind secure firewalls.
However, according the FTC, the company did not use encryption — storing payment card information in clear text — and failed to use commercially available firewalls and other security products to protect that information.
The FTC viewed this as a misleading claim and brought suit against the company and three of its subsidiaries.
Wyndham, in turn, appealed the suit, asserting the FTC did not have standing to regulate cybersecurity for the private sector.
"While we are disappointed by [Monday's] opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," a Wyndham spokesman said after the appeal was denied.
The new ruling "reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data," FTC Chairwoman Edith Ramirez said after the decision. "It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."
Regulating cybersecurity
Some in the cybersecurity sector see this affirmation as a move in the right direction.
"Consumers have been paying the price for security breaches for too long," said Eric Chiu, president and co-founder cloud company HyTrust. "Hopefully, the FTC can help put greater pressure on companies to do the right thing."
Not everyone agrees, however.
Michael Daugherty, CEO of LabMD and author of "The Devil Inside the Betlway," has been on a crusade against the FTC since the regulatory body brought an action against his company based on what turned out to be falsified information. He says fighting the allegations crippled his company and forced massive layoffs over the years.
"FTC wants to become the No. 1 self-appointed cybersecurity regulator," Daugherty said. "FTC is creating common law [around cybersecurity] — get the consent decree; build precedent; avoid the courts; mislead and stonewall congress; and play hero to the press."
A Wyndham spokesman noted the appellate court's decision was merely about whether the FTC had standing to bring the suit, not on the merits of the case itself.
"Once the discovery process resumes, we believe the facts will show the FTC's allegations are unfounded," they said.
Turning complicated tech into enforceable policy
The FTC is making major decisions about what constitutes strong cybersecurity for the private sector — decisions the commissioners themselves aren't always educated about.
FTC Commissioner Terrell McSweeny admitted such during a presentation at this year's Black Hat hacker and cybersecurity conference, urging those in attendance to get involved and help shape regulatory policy.
For help with these decisions, McSweeny also leans on people like Ashkan Soltani, FTC's chief technologist.
Relying on employees like Soltani and industry groups will be critical if FTC continues to regulate cybersecurity, according to Yorgen Edholm, CEO of Accellion.
Edholm suggested keeping the lines of communication open, as well as having in-house staff that can then translate technical speak into enforceable regulations.
"I wish they didn't have to," Edholm said, noting added levels of bureaucracy can become cumbersome. "But the threat is so much stronger today, it has increased so quickly … Someone needs to push corporate America to do a better job and I guess it's going to be the FTC."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
