Does a presidential executive order on cybersecurity get a hotel chain off the FTC hook for its breaches?
In their Notice, Wyndham Worldwide Corporation states, in large part:
As relevant here, the Executive Order requires the National Institute of Standards and Technology (“NIST”) to lead the creation of a baseline set of standards for reducing cyber risks to critical infrastructure — what the Executive Order calls the “Cybersecurity Framework.” Cybersecurity EO § 7(a). The Cybersecurity Framework will establish a “set of standards, methodologies, procedures, and processes” for addressing cybersecurity threats, id., and will include “guidance for measuring the performance of an entity in implementing” those standards, id. § 7(b). The Framework must also “provide a prioritized, flexible, repeatable, performance-based, and costeffective approach” that includes specific “information security measures and controls” critical-infrastructure operators can implement to “identify, assess, and manage cyber risk.” Id. § 7(b). In developing the Cybersecurity Framework, the Director of NIST must “engage in an open public review and comment process.” Id. § 7(d). Compliance with the Cybersecurity Framework is initially “voluntary,” id. § 8(a), however federal agencies are directed to develop “incentives” to promote compliance and to assess whether “the agency has clear authority to establish requirements based on the Cybersecurity Framework,” id. § 10(a).
The method of regulation laid out in the Cybersecurity Executive Order starkly contrasts with the approach the Federal Trade Commission has taken to regulating cybersecurity under Section 5 of the FTC Act. The FTC has not issued any “standards, methodologies, procedures, [or] processes” for complying with Section 5, id. § 7(a); it has not established “guidance for measuring the performance of an entity in implementing” data-security protections that might comply with the statute, id. § 7(b); it has not identified specific “information security measures and controls” that a business might adopt, id. § 7(b); and it has not “engage[d] in an open public review and comment process,” id. § 7(d). To the contrary, the FTC has refused to issue any rules, regulations, or guidelines explaining what data-security protections a company must employ to comply with the Commission’s understanding of Section 5. See WHR Mot. to Dismiss at 10-11. Instead, the FTC has claimed the right to enforce its view of datasecurity policy through selective enforcement actions founded entirely on ex post reasoning. See, e.g., Br. of Amici Curiae Chamber of Commerce, et al., at 7-12.
The bottom-line point is simple. In the context of regulating critical infrastructure, the Executive branch has determined that governing rules and standards must be developed far in advance of any potential regulatory enforcement efforts and through a full-fledged “public review and comment process.” Id. § 7(d). If that is true in the context of critical infrastructure, then surely it is all the more true when the FTC attempts to regulate businesses operating in other sectors of the economy. For these reasons, and for those stated in defendants’ motions to dismiss, the FTC’s complaint should be dismissed as a matter of law.
The FTC has not yet responded to this filing. In November 2012, however, it had cited a then-new opinion in FTC v. LabMD from the Northern District of Georgia in which the court wrote, in part:
Although the Court finds there is significant merit to Respondents’ argument that Section 5 does not justify an investigation into data security practices and consumer privacy issues, it is a plausible argument to assert that poor data security and consumer privacy practices facilitate and contribute to predictable and substantial harm to consumers in violation of Section 5 because it is disturbingly commonplace for people to wrongfully exploit poor data security and consumer privacy practices to wrongfully acquire and exploit personal consumer information.
So will a presidential order on cybersecurity make a damned bit of difference in a lawsuit involving Section 5 of the FTC Act? I don’t think it should, but I guess we’ll have to wait and see.