Will Wyndham Hotels Put Us on the Road to Rational Data Security Regulation?

I hope so.

Here are the facts we need for this discussion:

1.         The Federal Trade Commission charged four different Wyndham corporations (which we’ll just call them all Wyndham here) with deceptive acts and practices, as well as unfair acts and practices.

2.         The FTC charges are based on Wyndham data breaches.

3.         Unlike other businesses that the FTC has charged in past data breach cases, Wyndham has not settled.

4.         Instead, in a motion to dismiss, Wyndham has challenged the FTC’s authority to regulate data security matters.

5.         In its motion, Wyndham has also taken the position that the FTC has not followed the processes necessary to establish data security rules that the FTC may enforce.

Before we get into the points I want to make here, I should say that the foregoing is a very limited summary.  There is a lot to this whole affair, and you will need to dig into detail elsewhere if you want a full understanding of it.  A more detailed summary can be found in a good article in ComputerWorld.  If you want to read a scholarly work on the FTC’s authority to regulate data security matters and the approach the FTC has taken, read this article.

The FTC complaint and Wyndham’s motion to dismiss are embedded below.

There are two aspects of this affair that I want to discuss.

Who Should Regulate Data Security?

Everybody wants to have their own data security rules.  The FTC does, and so do the states. 

There are way too many governmental entities involved with the data security issue.  (Just as there are with the multi-jurisdictional insanity of privacy regulation generally.)  We need to pick one and move on. 

I’m no more a fan of the U.S. Congress than anyone else is, but uniformity of the law in the United States requires control at the Federal level.  Congress should take action to preempt state regulation in this area and Congress should give one Federal agency the authority to regulate.  One agency at the Federal level. 

Then that agency can take a plane to Brussels and work out something with the European Union.  (No, I haven’t forgotten about Asia, or Australia, Africa or South America, or Central America or Russia or any other place.  We have to start somewhere.)

Fortunately, there seems to be some movement in the right direction.  Recently there was a hearing on the subject in the House of Representatives.

Rational, Standards-Based Regulation is Necessary.

The government and the business community both need to accept the fact that things change fast in the technology world, and as a result overly specific regulations become dated too quickly.  For this reason, only a standards-based approach will work.

For the most part, the FTC does not seem to understand this.  In fact, they seem to confuse standards and specific data security methods.

As described in one of the briefs filed in support of Wyndham:

The FTC, however, rejects the common sense idea of setting forth “particularized guidelines” for businesses to follow, reasoning that it would be impossible because “[d]ata security industry standards are continually changing in response to evolving threats and new vulnerabilities.”

This is the FTC not understanding the difference between changing standards and changes in particular facts and circumstances.

As an owner of potentially vulnerable data, I want that data protected in a manner that is consistent with the latest standards.  The FTC seems to understand this only occasionally.  For example, in the FTC’s settlement with HTC over data breach issues, there is a requirement that HTC assess and report its compliance with the settlements terms.  The requirement reads in part:

IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.

That’s a standards-based approach.  The FTC should think about taking adopting that approach in all instances.

What’s Happens Next?

It’s hard to say of course.  Congress could resolve the Wyndham case and the regulatory problem by adopting legislation preempting state law that gives the FTC regulatory power – subject to rule making requirements.  Or Congress could give a different agency that authority.  Whatever happens, it can’t happen too soon.  The tensions between the United States and Europe on privacy issues need be addressed as quickly as possible, or the hit the U.S. economy might be taking as a result of the NSA PRISM issue might be worse than expected.

This entry was posted in Big Data, Data Security, Federal Trade Commission, Regulation and tagged , , , , . Bookmark the permalink.