Hacking Victims Become Federal (Victims of piracy become federal objectives)

What do you do if you’re a company that gets hacked, and the Federal Trade Commission treats you like a criminal? That was the quandary facing Wyndham Hotels after the FTC claimed a data security breach gave it the right to supervise the company’s IT department.

Thus began the latest episode of the Obama Administrations’s habit of using vague laws to justify regulatory schemes that Congress never intended. More than 40 companies have already acquiesced to the FTC’s data security overreach—often small companies without the means to fight—but Wyndham to its credit is pushing back.

In the early 2000s, the FTC complained to Congress that it didn’t have the power to regulate cyber security. The Obama Administration brushed aside that legal detail, citing the catch-all language of Section 5 of the FTC Act: “Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.”

The problem with this reasoning is that the companies targeted by the FTC were the victims of “deceptive” hacking acts. But in FTC land they are guilty of an unfair trade practice for failing to have commercially reasonable data security practices for protecting consumers information.

The FTC has declined to provide specific guidelines on what constitutes “reasonable” data security, and in most cases companies find out that they were beyond the red line only after they’ve been hacked. In most of those cases, companies “caught” getting hacked must submit to penance in the form of consent decrees that allow the FTC 20 years of oversight of their IT departments. Brought to you by the experts behindHealthCare.gov.

In June 2012 the FTC filed an enforcement lawsuit charging that when Wyndham was hacked, leading to more than $10.6 million in payment-card losses, the company violated Section 5. A federal district judge upheld the FTC’s authority, but the Third Circuit Court of Appeals recently granted a rare petition for what lawyers call interlocutory review to take the case.

Even many at the FTC think the agency is stretching the law. In a speech at the U.S. Chamber of Commerce in 2013, Commissioner Maureen Ohlhausen said the agency is improperly using Section 5 to justify all manner of regulatory mischief, including antitrust enforcement. She warned about “the temptation” to use Section 5 “to avoid the requirement of clearly specifying” legal boundaries.

Maybe the FTC should first tighten its own data security. In 2012 a hacker called Anonymous took over the FTC website and posted content mocking the agency’s Anti-Counterfeiting Trade Agreement. Late last year Reuters reported that the FBI has warned that parts of the government including the Army, the Energy Department, and Health and Human Services have been hacked.

Companies have more than ample incentive to deter hacking. Target’s data breach cost hundreds of millions of dollars and damaged its reputation among customers. But using nebulous laws to hold companies to unspecified ex post facto standards of data security is an abuse of federal authority. We hope the Third Circuit tells the FTC to log out.

http://online.wsj.com/articles/wsj-hacking-victims-become-federal-targets-1408318038

What if you're a company that gets hacked, and the Federal Trade Commission to treat you like a criminal? That was the dilemma facing Wyndham Hotels after the FTC alleged a violation of data security giving the right to monitor the IT department of the company.

Thus began the latest episode of the habit of the Obama Administration to use vague laws to justify regulatory system that Congress never intended. Above 40 companies have already agreed to the security of data often overreach-FTC small businesses without the means to fight, Wyndham but his credit is pushing back.

In the early 2000, complained to the FTC that Congress had no power to regulate the cyber security. The Obama administration shelved that detail legal, citing the catchall wording of Article 5 of the FTC Act: “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, is declared illegal. ”

The problem with this reasoning is that companies run by the FTC were victims of piracy “misleading”. But on earth FTC are guilty of unfair trade practice by not having security practices commercially reasonable data to protect consumer information.

The FTC has declined to provide specific guidance on what constitutes data security “reasonable”, and in most cases, companies find that they were beyond the red line only after they have been hacked. In most of these cases, business “caught” being attacked must undergo penance in the form of consent decrees that allow the FTC 20 years of monitoring their IT departments. Brought to you by the experts behind HealthCare.gov.

June 2012, The FTC filed a compliance burden when Wyndham was hacked, leading to more of $ 10,6 million in lost payment cards, Company violated Section 5 A federal district judge upheld the authority of the FTC, but the Third Circuit Court of Appeals recently granted a rare request for interlocutory review lawyers call to bring the case.

Even many in the FTC think the agency is stretching the law. In a speech at the Chamber of Commerce USA. in 2013, Commissioner Maureen Ohlhausen said the agency is improperly using Section 5 to justify all sorts of mischief regulatory, including antitrust. She warned “temptation” section using 5 “to avoid the requirement to specify clearly” legal limits.

Perhaps the FTC should first strengthen its own data security. In 2012 hackers called Anonymous took over the website of the FTC and published content mocking Anti-Counterfeiting Trade Agreement Agency. Late last year, Reuters reported that the FBI has warned that the government parties, including the Army, Department of Energy, and Health and Human Services have been hacked.

Companies have more than enough incentive to deter piracy. Violation data Target cost hundreds of millions of dollars and damaged his reputation among customers. But using vague laws to keep companies ex post facto rules unspecified data security is an abuse of federal authority. We hope that the Third Circuit tells the FTC to log.