Virtually all organizations face of two daunting, unwavering facts: (1) cyber attacks will occur despite the best security; and (2) regulatory scrutiny in the wake of attacks is escalating, not lessening. (As to the first, it is abundantly clear that network security alone will not prevent all attacks; no firewall is unbreachable, no security system impenetrable.
An organization can have the best firewalls, perimeter security, end-to-end encryption, and updated antivirus software, but there will remain, among other things, a human element that is so difficult to control. As to the second, organizations face increasingly heightened regulatory scrutiny in the wake of attacks, as illustrated by the Wyndham case.
Although organizations can neither achieve fail-safe security, nor entirely insulate themselves from legal liability and regulatory scrutiny in the wake of an attack, they can become cyber-resilient and education is a critical step in that process. The Third Circuit’s decision in Wyndham underscores the necessity of education in becoming cyber-resilient.
Although the Third Circuit did not find or hold that Wyndham’s cybersecurity violated Section 5 of the FTC Act (an issue not presented for the court’s consideration), it did hold that Wyndham had fair notice, through various channels, that “its specific cybersecurity practices could fall short of [Section 5].” In reaching its decision, the Third Circuit found the FTC’s complaint alleged facts that, if true, would place an organization on fair notice that its cybersecurity might violate Section 5:
[T]he complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.Wyndham’s…challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the [Section 5] cost-benefit analysis. That said, we leave for another day whether Wyndham’s alleged cybersecurity practices do in fact fail, an issue the parties did not brief. We merely note that certainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis. (Court’s emphasis, citations omitted).
The Third Circuit also pointed to a 2007 guidebook issued by the FTC, entitled Protecting Personal Information: A Guide for Business, which describes a “checklist” of practices that form a “sound data security plan,” as well as prior complaints filed by FTC and consent decrees in administrative cases raising unfairness claims based on inadequate corporate cybersecurity, which were published in the FTC’s website and in the Federal Register.
Wyndham therefore emphasizes the importance of education in becoming cybersecure and cyber-resilient. Although even the best cybersecurity can and does fail, the most secure institutions recognize that education is a necessary predicate to being cyber-resilient. A company cannot implement solid cybersecurity if it is not educated as to what that is–and what it is not. In addition to significantly decreasing the odds of a successful attack, solid cybersecurity will position an organization to better respond when regulators come calling in the wake of a breach event. Organizations are therefore encouraged to educate themselves, with the assistance of capable counsel and other advisors, concerning what good cybersecurity looks like and how they might implement and achieve it.
As to the authority of FTC to regulate cybersecurity—and potentially many other matters under the unfairness prong of Section 5 more broadly—organizations may wish to take note of the Third Circuit’s observations as to potential Section 5 liability: “were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [Section 5].”
Roberta Anderson is a partner in the Pittsburgh office of K&L Gates LLP. She has represented insureds in connection with a broad spectrum of insurance issues and disputes arising under many kinds of insurance coverages, including general liability, commercial property, business interruption, data privacy and “cyber”-liability, directors and officers (D&O), errors and omissions (E&O), and employment practices liability. In addition to assisting clients in maximizing their current insurance assets, Anderson provides strategic advice on complex underwriting and risk management issues, including the drafting and negotiation of data privacy, cyber liability, technology E&O, and D&O insurance coverage. Anderson can be reached at [email protected] or 412.355.6222.
