The Federal Trade Commission has served as businesses’ chief security enforcer for 13 years. When U.S. companies lose or expose customers’ personal data to hackers, they potentially have to also reckon with complaints from the government agency.
If two companies suing the FTC—hotel operator Wyndham Worldwide and now-defunct medical lab LabMD—have their way, the agency’s authority over business data security would end. Although they face an uphill battle, their challenges have life.
Since 2002, the FTC has reached data security settlements with about 50 companies. After the agency found that they had failed to take “reasonable” steps to protect customer data, the companies agreed to measures such as launching new cybersecurity programs or undergoing security audits.
The FTC, along with many privacy and consumer groups, argues that its authority over business data security protects consumers by serving as a deterrent to companies tempted to take cybersecurity shortcuts.
Here’s the problem with Wyndham and LabMD’s lawsuit, some privacy advocates say: Federal regulations currently protect consumer data only in specific industries, such as health care.
Stripping the agency of its authority to regulate data security “would further curtail the limited and insufficient protections now available to consumers,” says John Simpson, privacy advocate at Consumer Watchdog. It would remove a major line of defense for consumers.
“Essentially, what the FTC is saying is, the small laboratory testing company has to have the same standards as the large multinational LabCorp,” — Dan Epstein, executive director of regulatory watchdog group Cause of Action.
G.S. Hans, a policy attorney at the Center for Democracy & Technology, agrees. A successful challenge to the FTC’s authority would bring a “full stop” to cross-industry data security regulation in the United States, he says. “It’s important for the FTC to be a cop on the beat.”
Many large companies have gotten the message that data security is important, Hans adds. “For smaller entrants and new companies, knowing that there’s a possibility of FTC investigation makes it that much more vital to have good security practices.”
The FTC, however, lacks a clear definition of reasonable security practices, some free-market advocates argue. The agency does not publish a detailed description of adequate cybersecurity efforts, they say, and reasonable security is a vague and fast-moving target.
Even with a baseline security standard, it becomes “difficult and nuanced to determine what that baseline is, and who’s under and who’s above,” says Dan Epstein, executive director of Cause of Action, a regulation watchdog assisting LabMD’s FTC challenge.
Reasonable security standards at a mom-and-pop business might look very different from those at a large corporation, Epstein adds.
“Essentially, what the FTC is saying is, the small laboratory testing company has to have the same standards as the large multinational LabCorp,” he says. If they have to follow the same standards as “a multinational hospital corporation, guess what’s happening to their businesses? They’re shutting down or getting bought out.”
Wyndham and LabMD, which has indeed shut down operations, have experienced major setbacks in challenging the FTC’s authority.
In August, the U.S. Court of Appeals for the Third Circuit rejected Wyndham’s motion to dismiss a 2012 complaint from the FTC for three data breaches leading to more than $10.6 million in fraudulent charges.
The hotel group, which had stored payment card information in clear text, argued that the data breaches did not meet the FTC’s definition of an unfair business practice because the company itself fell victim to the hacks.
Appeals court Judge Thomas Ambro shot that argument down, saying Wyndham “offers no reasoning or authority for this principle, and we can think of none ourselves.”
Although the appeals court decision sends the Wyndham case back to district court, the company has vowed to continue to fight.
Attorneys for LabMD, meanwhile, are contending with FTC accusations related to two significant data breaches in the past eight years. In one breach, a LabMD customer spreadsheet populated with names, Social Security numbers, and medical-treatment codes was found on a public file-sharing network.
The FTC’s case against the lab has thus far been debated within the agency. In May, it held an administrative-law hearing, and in September, it denied the company’s motion to dismiss the case. The lab argues that the agency has no authority over health care providers that are covered by the Health Insurance Portability and Accountability Act.
LabMD is still awaiting the judge’s ruling from the May hearing. Like Wyndham, it could ultimately challenge an FTC ruling in an appeals court, according to Epstein of Cause of Action.
“The wheels of justice are slow,” he says. Justice for the company, however, may lead to fewer protections for consumers.