What, exactly, can a business do to protect itself against a Federal Trade Commission enforcement action for allegedly failing to take reasonable precautions to protect its customers’ sensitive, private, digital information, such as credit card numbers, bank account information, dates of birth, and even medical records? Especially because it is difficult to know exactly what the term “reasonable precautions” actually means in the quickly evolving world of cybersecurity, it is important to develop a credible answer to the question. Some high-profile businesses, including at least one which has been the victim of a large-scale cyber-breach, have come up with a seemingly simple, though elegant, solution.
To appreciate the solution, though, you first have to understand the problem. This post will discuss the full extent of the problem. In the next post, we will examine the solution.
One of the main attacks against the FTC’s Reasonable Precautions cybersecurity standard is that it does not provide fair notice of what it requires, or prohibits. What, exactly, constitutes a reasonable precaution and what does not? How can a business be expected to comply with a standard if it does not have fair notice of what it requires? This was a major defense in both the FTC’s administrative trial against LabMD, and the action entitled the Federal Trade Commission, Plaintiff, v. Wyndham Worldwide Corp., et al., Defendants. Civil Action No. 13-1887 (ES), United States District Court, D. New Jersey (the “Wyndham case”) both of which we have written about at length. At least so far, though, “reasonableness,” as applied on a case-by-case, fact specific basis, is all a business basically has to work with.
In the Wyndham case, as we have previously written, one of the defendants, Hotels and Resorts, based its motion to dismiss the complaint, in large part, on the allegation that the reasonable precautions cybersecurity standard was too vague, and that the FTC should issue detailed regulations giving fair notice of what the standard required, before the FTC could seek to enforce it. In denying the motion, the court held: