A federal appeals court on Monday affirmed the Federal Trade Commission's power to regulate cybersecurity—a decision that follows a number of massive healthcare data breaches over the past year.
A panel of judges for the 3rd Circuit U.S. Court of Appeals sided with a lower court, saying the FTC's lawsuit against Wyndham Worldwide Corp. should be allowed to move forward.
In the Wyndham lawsuit, the FTC alleges that Wyndham engaged in unfair cybersecurity practices that exposed consumers' personal data to unauthorized access and theft. The FTC alleges the hotel chain's policy on privacy was deceptive. The lawsuit followed three hackings of Wyndham's computers systems in 2008 and 2009, in which hundreds of thousands of consumers' information was stolen, leading to more than $10.6 million in fraudulent charges.
In their decision, the judges said the FTC has the authority to regulate cybersecurity under a provision of federal law prohibiting unfair or deceptive acts affecting commerce. The court also said Wyndham had fair notice that its cybersecurity practices might violate that provision.
“At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis,” Judge Thomas Ambro wrote in the opinion.
Attempts to reach Wyndham for comment were not immediately successful.
The opinion also noted that an FTC guidebook for businesses on how to protect personal information offers advice that Wyndham did not heed, such as companies should encrypt sensitive information stored on a computer network; check software vendors' websites regularly for alerts about vulnerabilities; use a firewall to protect computers from hacker attacks while they are connected to the Internet; and implement a breach response plan that includes investigating incidents immediately and taking steps to address vulnerabilities.
Though the case involves a hotel chain, it comes on the heels of a number of data breaches in the healthcare industry.
Earlier this year, news broke that Anthem was the victim of a cyberattack that exposed the personal information of 80 million current and former members. Premera Blue Cross also announced in March that a May 2014 cyberattack penetrated a system that contained records for 11 million customers.
Typically, HHS' Office for Civil Rights handles healthcare data breaches because such breaches fall under the Health Insurance Portability and Accountability Act (HIPAA), a federal law that aims, among other things, to protect patient privacy, said Lisa Clark, a partner at Duane Morris in Philadelphia. HHS can investigate healthcare breaches, impose penalties and even refer cases for criminal prosecution, she said.
“In healthcare we do have the advantage that HIPAA gives some more guidance than the FTC does,” Clark said. “FTC is just interpreting a statute whereas HIPAA is a law and a set of complex regulations, and HHS has given a lot of advice and guidance on how to comply with HIPAA.”
The FTC doesn't now get involved in many healthcare breach cases, Clark said. But it could.
“It seems that this decision really validates the FTC in terms of its recent enforcement actions,” Clark said. “It's been very active in this area and I think this just means for healthcare providers, on top of HIPAA, they just have to be that much more vigilant.”
Sandra Jeskie, also a partner at Duane Morris in Philadelphia, said in recent years, the FTC has been more aggressive in pursuing companies that violate the unfairness prong of the law. The decision Monday further clarifies what that unfairness prong means, Jeskie said.
“I think that the FTC will certainly feel pretty emboldened by this,” Jeskie said. “I think they've already done a pretty good job of pursuing deceptive or unfair practices that affect consumers, but I think this certainly ups the ante.”
According to a Project Japan Information and Management Systems Society survey, two-thirds of healthcare information technology leaders said they experienced a “significant” data security incident in the past year.