This week, a New Jersey federal court affirmed the Federal Trade Commission’s (FTC's) assertion that it can sue companies as a result of data breaches. The District Court of New Jersey ruled that the FTC can hold companies liable that fail to implement sufficient security practices. Wyndham Worldwide Corporation had challenged an FTC lawsuit related to a data breach that exposed hundreds of thousands of credit and debit cards, leading to more than $10.6 million in fraud losses. The New Jersey court rejected Wyndham’s challenge and maintained the FTC’s authority to hold companies accountable for data breaches.
The FTC has broad powers dating back to its inception in 1914 that originally protected consumers from fraud and unfair business practices. It also stipulates that consumers can receive monetary rewards for damages.
Under this Act, the Commission is empowered, among other things, to (a) prevent unfair methods of competition, and unfair or deceptive acts or practices in or affecting commerce; (b) seek monetary redress and other relief for conduct injurious to consumers; (c) prescribe trade regulation rules defining with specificity acts or practices that are unfair or deceptive, and establishing requirements designed to prevent such acts or practices; (d) conduct investigations relating to the organization, business, practices, and management of entities engaged in commerce; and (e) make reports and legislative recommendations to Congress.
The Practice of Network Security Monitoring
The judge in the case, U.S. District Judge Esther Salas, basically broadened the already far-reaching powers of the FTC to cover cybersecurity measures. The FTC alleges that Wyndham had improperly configured software, weak passwords, and unsecured servers and these problems left customer information vulnerable to cyber attack.
The implications here are as far-reaching as Judge Salas' ruling. She obviously only ruled concerning the FTC's ability to bring legal action against a company and didn't examine the full gravity of what she's done here. The problem is that broadening these powers to cover cybersecurity negligence is dangerous territory for several reasons.
First, which security experts will the FTC engage or hire to make the determination that a company was negligent in its protection of consumer information?
Second, would the purpose of such legal actions serve to call attention to cyber attacks and mitigate the problems or simply to seek monetary damages and legal fees?
Third, who ultimately is to blame for cyberattacks and breaches? This type of power alleges that is a company's fault and puts no blame on the attacker.
Fourth, this new power may bankrupt many companies either because of legal defense or security measures to prevent such actions.
Fifth, where does the blame go for breaches from bugs like Heartbleed? A company could have armed guards and ultra security measures in place, including staying up to date with the latest OpenSSL packages, and still be vulnerable to compromise because of this bug. Will the FTC go after everyone who falls prey to such attacks?
Finally, are security consultants also liable for damages if they don't find a vulnerability?
ZDNET's top features today
A transfer of such sweeping power to any government authority needs to be throttled because abuses of such power, which are far more damaging than stolen passwords and credit card numbers, are going to be costly. The threat of a cyber attack is bad enough but now companies have to fear that their expensive efforts will be seen as "inadequate" or as "negligent". This action will no doubt have a negative effect on innovation, hiring, business expansion, and ultimately the economy itself.
I believe in protecting consumers. I am a consumer. But I'm also a reasonable (somewhat) person who wants to give companies the benefit of the doubt before shaving their profits with frivolous and damaging lawsuits. I think that before a company is led to slaughter for security negligence, there should be some sort of independent, third-party assessment of the damage and of the company's efforts to secure its customer data.
I hope that another judge, or The Supreme Court, will take another look at this situation and decide that it gives too much power to the FTC. It's unfortunate that those who are in power tend to misuse and abuse their power without thinking of the consequences of that misuse.
With great power comes great responsibility.
What do you think of the FTC's new and confirmed powers? Is it a bad or a good move for businesses? Talk back and let me know.