Under CISA, Would Wyndham Be Able To Pre-empt FTC Action?

The Third Circuit just issued an important ruling holding that the Federal Trade Commission could sue Wyndham Hotels for having cybersecurity practices that did not deliver what their privacy policies promised. The opinion, written by Clinton appointee Thomas Ambro, laid out just how bad Wyndham’s cybersecurity was, even after it had been hacked twice. Ambro upheld the District Court’s decision that FTC could claim that Wyndham had unfairly exposed its customers.

The Federal Trade Commission Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a). In 2005 the Federal Trade Commission began bringing administrative actions under this provision against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers. The vast majority of these cases have ended in settlement.

On three occasions in 2008 and 2009 hackers successfully accessed Wyndham Worldwide Corporation’s computer systems. In total, they stole personal and financial information for hundreds of thousands of consumers leading to over $10.6 million dollars in fraudulent charges. The FTC filed suit in federal District Court, alleging that Wyndham’s conduct was an unfair practice and that its privacy policy was deceptive. The District Court denied Wyndham’s motion to dismiss, and we granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.1 We affirm the District Court.

[snip]

Wyndham’s as-applied challenge falls well short given the allegations in the FTC’s complaint. As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, Compl. at ¶ 24(a), did not restrict specific IP addresses at all, id. at ¶ 24(j), did not use any encryption for certain customer files, id. at ¶ 24(b), and did not require some users to change their default or factory-setting passwords at all, id. at ¶ 24(f). Wyndham did not respond to this argument in its reply brief.

Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the costbenefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.

The ruling holds out the possibility that threats of such actions by the FTC, which has been hiring superb security people in the last several years, might get corporations to adopt better cybersecurity and thereby make us all safer.

Which brings me to an issue I’ve been asking lots of lawyers about, without satisfactory answer, on other contexts.

The Cybersecurity Information Sharing Act prevents the federal government, as a whole, from bringing any enforcement actions against companies using cybersecurity threat indicators and defensive measures (or lack thereof!) turned over voluntarily under the act.

(D) FEDERAL REGULATORY AUTHORITY.—

(i) IN GENERAL.—Except as provided in clause (ii), cyber threat indicators and defensive measures provided to the Federal Government under this Act shall not be directly used by any Federal, State, tribal, or local government to regulate, including an enforcement action, the lawful activities of any entity, including activities relating to monitoring, operating defensive measures, or sharing cyber threat indicators.

(ii) EXCEPTIONS.—

(I) REGULATORY AUTHORITY SPECIFICALLY RELATING TO PREVENTION OR MITIGATION OF CYBERSECURITY THREATS.—Cyber threat indicators and defensive measures provided to the Federal Government under this Act may, consistent with Federal or State regulatory authority specifically relating to the prevention or mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such information systems.

(II) PROCEDURES DEVELOPED AND IMPLEMENTED UNDER THIS ACT.—Clause (i) shall not apply to procedures developed and implemented under this Act.

Given this precedent, could Wyndham — and other negligent companies — pre-empt any such FTC actions simply by sharing promiscuously as soon as they discovered the hack?

Could FTC still sue Wyndham because it broke the law because it claimed its “operating defensive measures” were more than what they really were? Or would such suits be precluded — by all federal agencies — under CISA, assuming companies shared the cyberattack data? Or would CISA close off this new promising area to force companies to provide minimal cybersecurity?

Update: Paul Rosenzweig’s post on the FTC decision is worth reading. Like him, I agree that FTC doesn’t yet have the resources to be the police on this matter, though I do think they have the smarts on security, unlike most other agencies.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

5 replies
  1. bloopie2 says:

    There’s so much in that one section, with so many terms not yet construed by any court, that it could take a decade or longer to figure out the answer to your question. Simple laws get construed quickly; complex ones like this one, operating in a new field, take forever. For example, they are still figuring out the extent to which the government can regulate under the Clean Air Act and Clean Water Act, which are what, fifty years old? Put together a pushy FTC and a rollover IC, and you could get a case that will take a decade to resolve.

  2. DannyD says:

    Could such an immunity provision also be used to coerce corporations to share where the otherwise would not? Like granting immunity in exchange for testimony, you cannot refuse once you’ve been shown not to be not at jeopardy of self incrimination.

    Consider the implications ( and costs) that an entity would be facing if presented with a ‘share of face an investigation’ choice by DHS. 99.999% of corps would then roll-over and share everything, they have no legal reason not to and financial reasons to help then get over their principles.

    The only corp with any type of defense for not ‘sharing’ with DHS would be one with the expressed business purpose of concealing information from the government.

    This is structured such that corps get immunity in exchange for forced testimony. No objectors allowed.

  3. wallace says:

    quote”Which brings me to an issue I’ve been asking lots of lawyers about, without satisfactory answer, on other contexts. “unquote

    Other contexts.

    quote”Walking past the American Girl store today, I wondered if they had an Ashley Madison doll.”unquote

    fuck. I’m thinking it’s time to reflect on a change in perspective.

    The Cybersecurity Information Sharing Act prevents the federal government, as a whole, from bringing any enforcement actions against companies using cybersecurity threat indicators and defensive measures (or lack thereof!) turned over voluntarily under the act.”unquote

  4. wallace says:

    Dear bloopie2…

    I suggest a change in our consumption of a diet of National Security bullshit and find something that actually feeds our soul.

Comments are closed.