Public and Private Cybersecurity After Wyndham

For my money, Paul is probably correct in pointing to some long-run consequences of this week’s FTC v. Wyndham ruling. (Among other things, the decision concluded—quite correctly, in my view—that the Federal Trade Commission may, by dint of the so-called “unfairness” prong of the Federal Trade Commission Act, sue private companies that maintain unsafe cybersecurity practices.) Here’s Paul, yesterday:

• The FTC does not, however, have to define adequate cybersecurity by rule or regulation or guidance -- it may provide adequate notice of what the law requires throught its enforcement process. Prior consent decrees will need to be consulted to determine what is required.

• Whatever that standard turns out, in the end, to be it is now a minimum standard that corporate America must follow.

• I predict that the same standard will gradually be imported into other areas where FTC regulation does not extend.

One such area: federal cybersecurity. Of course Wyndham is all about federal consumer protection officials suing private entities, for the latter's cyber shortcomings; but I am interested in what, if anything, the case might portend for roughly the opposite scenario, in which private persons sue the feds for similar reasons.

Here’s some speculation, for what it’s worth.

Procedurally speaking, the Federal Tort Claims Act waives (with some important and sometimes rule-eating exceptions) the government’s immunity from tort suits involving the actions or omissions of federal employees, committed within the latter’s scope of employment. So far as the substance goes, the statute also holds the government liable to the same extent that state tort law would call for liability against a private tort defendant. Naturally the Federal Trade Commission Act’s ban on unfair acts or practices doesn’t read or work in the same way, for obvious reasons.

But one would think that all other things being equal, the law wouldn’t establish one cybersecurity standard for private companies while laying out a different one for the United States and its officers. Absent a good reason otherwise, the answer probably shouldn’t be “the brass at IRS or DHS have to try this hard to protect taxpayer identifying information, but Target’s people have to try that much harder to protect the same information on their customers.”

That’s where a new raft of FTC consent decrees, of the kind Paul alluded to, might come in: These might influence state tort law, and vice versa, thus encouraging private and public cybersecurity standards to merge over time—despite some vastly different legal architecture.

And to be sure, merger is but one plausible scenario among many. Here’s another: What if an incipient universe of FTC unfairness law winds up suggesting a different measure of legally required cyber-caution for private outfits, than state tort law suggests for federal officers acting in the scope of their employment? For better or worse, and rationally or not, cyber liability standards might then vary for public and private parties committing the same actions and omissions, and with respect to the same data.