Can a company’s publicly stated cybersecurity policy be so poorly implemented that it amounts to an unfair and deceptive practice that deceives consumers into handing over credit card information?  The answer to this question may finally require merchants to be legally responsible for commercially reasonable cybersecurity practices.

Late in August, the federal Court of Appeals for the Third Circuit upheld the FTC’s right to sue Wyndham Corporation over its allegedly substandard cybersecurity practices.  If the decision is upheld, the FTC will have the authority to mandate that corporations claiming to have commercially reasonable cybersecurity policies actually do.  What a concept.

First some background.  Congress empowers the FTC to prevent “unfair or deceptive acts or practices in or affecting commerce.”  What exactly satisfies this standard has always been open to interpretation.  In 1994, Congress codified a 1980  Policy Statement at 15 U.S.C. § 45(n), which provides, in part, that the Commission has jurisdiction where 1) an act or practice causes a substantial harm to consumers, that 2) isn’t outweighed by any countervailing benefits to consumers or competition and 3) that  consumers couldn’t have themselves avoided.

continue reading »