In a large brick and glass building on 6th and Market Streets in Philadelphia, across the street from the Yu Ya Nails and Spa, and only a few hundred yards from Independence Hall, a case is being argued that may decide the fate of cybersecurity in America.
On March 3, in the United States Court of Appeals for the Third Circuit, the court heard an oral argument in the case of Federal Trade Commission v. Wyndham Worldwide Corporation, etc., et al., Dkt. No. 14-3514
At issue is the question of whether the federal government – and more specifically the Federal Trade Commission (FTC) – has the authority to regulate the cybersecurity and privacy practices of companies doing business in the United States.
The FTC was a product of the progressive era, when President Roosevelt – that is, Teddy not Franklin – proposed sweeping government reforms. Among them was the creation of a federal agency empowered to, among other things, regulate both fraudulent and deceptive trade practices.
Congress passed the FTC Act, Section 5 of which prohibited “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce…”
So clearly House Speaker Champ Clark and Republican Whip James Wadsworth, and the rest of the 63rdCongress meant to regulate the use of buffer overflows and misconfigured SQL-injection vulnerabilities. Right?
The FTC has used the authority of the 1914 statute to go after companies that both advertise that they protect data and don’t (deceptive trade practices) and those that make no representation about privacy and security, but don’t have privacy and security practices the federal government deems “reasonable” (unfair trade practices.) In either event, the FTC claims jurisdiction over most entities engaged in “trade or business” (unless there’s a specific exemption from jurisdiction) to regulate privacy and security.
Most of the time, the FTC goes after a company after there has been a breach of privacy related information, and a failure to protect that data. Most of the time the regulated entity agrees to pay a fine to the FTC, to create a privacy or security program that is to the government’s liking, and to remain subject to the jurisdiction and oversight of the FTC for a quarter century.
Most of the time.
Not true with respect to hotel chain Wyndham Resorts. When the FTC went after Wyndham for having a data breach (punishing the crime victim?) Instead of challenging the enforcement action, Wydnham challenged the authority of the federal government to regulate privacy and security.
At least under the 1914 statute.
So is failing to protect personal data, or using personal data in ways that an ordinary consumer might not like an “unfair” trade practice? Clearly it’s a matter of interpretation. The 1914 Congress did not intend to regulate privacy. The 1914 Congress did not intent to regulate personal data. The 1914 Congress did not intend to regulate data security, the Internet, TCP/IP, DES Encryption or WiFi. But all of these are now part of national trade. Payment systems, data systems, communications, storage, etc., are all part of trade. And it is the Federal TRADE commission.
The real question is whether security failures or inadequacies are “unfair.”
It’s one thing if you make a promise of security (or privacy) and people rely on it, and you don’t deliver. That can be unfair or deceptive. Maybe. If I promise that I “take your security seriously…” does that constitute a guarantee of security? A promise of a certain level of security? A warranty? Or is it just like saying, “your call is important to us… please hold for another hour for a customer service representative…”
Not every promise is the same. If a company says “we use ‘state of the art’ security” does this require them to use the latest and greatest tools (and continuously updated) to provide security. If a company says it uses “best practices” does this mean that the consumer can expect that there are no possible practices which are better? If a company claims that it uses SSL to encrypt data, is this representation “fraudulent” because data at rest is not always encrypted? According to the FTC, the answer is yes.
Same is true for “unfair” trade practices. What is the standard for privacy and security in the US? Is it “unfair” to collect personal information? To use it? What is the role of knowledge and consent. Is it unfair for the U.S. government to do the same things? What standard should be imposed?
All of these are good questions. And, according to the hotel chain, questions that the 1914 Congress had little intention of addressing.
So the Court will have the final say in determining the scope of the jurisdiction of the FTC under the 1014 law to regulate 21st Century practices. In 1914 a Dodge cost $500; a gallon of gas was 12 cents; a house was $3,500; Some things change over time. But fraud is still fraud. The question is whether Internet companies are selling us Silicon Snake Oil or not. And that’s for a Court in Philadelphia to determine. At least for now.