Today, a US appeals court affirmed the Federal Trade Commission's authority to go after companies for having inadequate cybersecurity practices—under a statute passed in 1914.
The ruling means that conduct such as failing to encrypt credit card information, or using easy-to-guess passwords for remote access to systems, can be considered an "unfair" trade practice. A ruling in the other direction would have left a gaping hole in American privacy regulation, since the FTC is the primary enforcer of data security standards today.
The decision comes, serendipitously, after hackers published Ashley Madison users' private data last week.
In one case, the username and password were both "micros"—which was also the name of the remote access software being used.
Wyndham fought back, claiming the FTC did not have the authority to regulate cybersecurity. (In all fairness, the Federal Trade Commission Act of 1914 is not an obvious choice under which to enforce data privacy and security.) The company argued that this kind of approach would allow the FTC to sue supermarkets that are "sloppy about sweeping up banana peels."
However, the US Court of Appeals for the Third Circuit rejected this argument, calling it "alarmist." In fact, the court went so far as to sarcastically respond that "were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability" under section five of the Federal Trade Commission Act.
Within today's patchwork system of privacy regulation, the Federal Trade Commission is actually "the most active federal agency enforcing privacy and data security, and it has the broadest reach," according to experts such as Daniel Solove and Woodrow Hartzog. Affirming FTC authority in cases like Wyndham is particularly significant because the allegations in that case bear an uncanny resemblance to countless other breaches.
In an interview with Motherboard's Joseph Cox last week, the Ashley Madison hackers said that the breached company had "no security" and that "you could use Pass1234 from the internet to VPN to root on all servers."