Wyndham: Systems management and best practices:
In the first major case related to regulatory oversight of cybersecurity issues, the FTC asserted that not having the same controls in place as other companies was an unfair trade practice on Wyndham’s part.2 The FTC found that Wyndham had not done enough to secure its systems, which had been breached three times over two years. The case involved regulatory action in response to the company not meeting a standard of security held by many of its competitors. The FTC asserted that proving actual injury to consumers was not necessary to enforce cybersecurity regulatory actions. Wyndham lost the case in appeal. The rest of us learned a painful lesson in systems management and industry best practices.
Yahoo: Waiting for the other shoe to drop:
The SEC is already looking at Yahoo (now part of Verizon) over the breach of over 1 billion email accounts, which is the largest data breach in history. The SEC is looking primarily at the time that Yahoo took to report the breach, but the FTC has also been paying attention to this case. It is not inconceivable that the FTC takes up a similar tack to its D-Link case, especially given allegations that Yahoo intentionally avoided certain email security protocols in place among its major competitors. The size of the case may also be enticing to the FTC: it is not uncommon for regulatory bodies like the FTC to try to deter smaller companies by winning high-dollar suits against larger companies.
Strong-arm into the healthcare sector
It doesn’t stop there. How exactly does the FTC make its way into the healthcare sector? According to their policies – their efforts raise consumer awareness and help prevent consumer harm. FTC’s mandate is overly broad and extends to healthcare businesses that are also covered under HIPPA. This includes healthcare providers, health plans, business associates, etc. The FTC works with the Department of Health and Human Services on the privacy and security side of protecting health information. However, on the other side, products that are recommended by physicians or HIPPA-covered businesses are also within the reach of the FTC. This reach extends to consumers use of health apps, devices and products that non-HIPPA entities develop. This is also going to expand into the biomedical devices industry as cybersecurity issues continue to increase in this realm. In so little words, this is a way of extending regulation not only to the healthcare sector but also to anything that is touched by one practicing in the healthcare sector.
Aside from Wyndam, another healthcare case shows the other side of enforcement action. Wyndam successfully solidified FTC’s authority to police cyber-breaches but in FTC v. LabMD the courts scrutinized the standard for “reasonable security” employed by the FTC.
In FTC v. LabMD, LabMD3 is a privately held company that operated as a medical services provider, performing tests for patients at the request of doctors. As part of its business, LabMD stored electronic billing records and medical records on an office computer. In May 2008, a third party contacted LabMD and told LabMD that some of these files was available through LimeWire, a peer-to peer sharing system. After being notified, LabMD determined that LimeWire had been installed on its billing computer, which LabMD promptly removed. LabMD also searched and monitored LimeWire for several months for any evidence of the leaked files but found no evidence beyond the third party. Nevertheless, the FTC brought an enforcement action against LabMD under the unfairness prong of Article 5. The allegations brought forth by the FTC were that LabMD did not employ readily available measures to prevent or detect unauthorized access to personal information on its computer networks; and did not develop, implement, or maintain a comprehensive information security program to protect consumers’ personal information.
But departing from Wyndam’s reasoning, this time the court found there was no evidence that any consumer suffered any actual harm from alleged failure to employ “reasonable” data security. Also, there was no also evidence of a high likelihood of future harm by LabMD.
The victory in this case was the push back from the Court. In its oral arguments, the court criticized the FTC Standard of “reasonable security” and asked the FTC’s counsel why the commission doesn’t engage in rulemaking to define reasonable security. In response, the FTC counsel said, “Rulemaking isn’t effective and there are too many variables, as standards are always changing.” The court, however, pushed back further and asked how companies are supposed to know “that they’re violating what they’re violating,” if there are no rules. The FTC counsel said that it is “entitled to proceed in a case-by-case” manner and that companies have “duty to act reasonably under the circumstances.”