By Sheldon Gilbert, National Chamber Litigation Center (cross-posted at Freeenterprise.com, "FTC, Stop Punishing Hacking Victims")
What would you think if you saw the police fining a small business owner, whose restaurant was just broken into, because the small business owner was unable to stop the crooks from breaking into her restaurant? Would it make sense for a city inspector to punish a business owner for not complying with the building code – if the city council had never even formally promulgated a building code?
As outlandish as these scenarios might sound, they are exactly what the Federal Trade Commission (FTC) is doing to American businesses who are the victims of sophisticated global hackers. Today, the U.S. Chamber’s National Chamber Litigation Center led a broad business coalition to file a friend-of-the-court brief challenging the FTC’s rampant practice of punishing hacking victims. The case is FTC v. Wyndham and it’s in federal district court in Arizona.
Here’s a little bit more background leading up to today’s legal filing. Over the last few years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there’s no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it’s been hacked.
Because the FTC has never formally promulgated any data security standards, a business has no way of knowing whether it’s compliant until after it’s been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it. Then the FTC strong-arms the business into entering into so-called “settlement” agreements (or “consent orders”) that often give the FTC roving and unchecked authority for the next 20 years to conduct audits and impose penalties on the business – again, for violating non-existent data security standards.
The FTC only recently “discovered” its authority to punish businesses for data security breaches. Time and again since 2000, the FTC has lobbied Congress for this very authority, suggesting the agency believes Congress never intended the FTC Act to provide it to them. But over the last few years since “discovering” this authority under the “unfairness” prong of Section 5 of the FTC Act, the FTC has prosecuted a host of businesses, which all understandably settled with the FTC, given the inherent unpredictability and unknown costs associated with the FTC’s unprecedented regulatory approach. The FTC says it is an “unfair” business practice for a company’s data security measures to be breached by rogue and ruthless global hackers. But what is truly “unfair” is the FTC’s completely imbalanced and unlawful pattern of punishing businesses who are victims of hacking, without giving them fair notice of what is expected of them.
In June 2012, the FTC brought its first lawsuit in court alleging that a company had violated Section 5 of the FTC Act when it was victimized by hackers. The Chamber, represented by its public policy law firm, the National Chamber Litigation Center (NCLC) and its co-counsel, Hogan Lovells, today filed an amicus brief with the court challenging the FTC’s pattern of overreach.
The U.S. Chamber and its members are committed to improving data security. It goes without saying that no business wants to be the victim of a successful hacking attempt – it exposes their assets and trade secrets to theft, and it hurts their relationships with their consumers and employees. Indeed, the need to remain on guard against a multitude of cyber threats is the reason why the business community continuously updates its data security procedures and follows industry best practices. Moreover, the U.S. Chamber supports the enactment of a truly uniform federal standard for data security and breach notification that is consistent with the best approaches in state law.
There’s a right way and a wrong way to improve data security. The wrong way is allowing the FTC to continue to punish the victims of hacking attacks, without providing businesses fair notice of what data security standards are expected of them.