“ those Who LiVe in gLass houses …” soLarWinDs Data Breach
Technology Section Chairs : Mike Hooker - Phelps Dunbar , LLP & Ryan McGee - Morgan & Morgan , PA
can the government point fingers when it may have failed to meet its own standards ?
The Federal Trade Commission ( FTC ) enforces consumer protection laws to prevent fraud , deception , and unfair business practices . When companies fail to protect consumer personal information , the FTC can take law enforcement action to punish and deter such failure under the FTC Act . A key part of FTC enforcement actions is the FTC ’ s long-standing “ reasonableness ” standard , which requires entities to implement reasonable security measures . Similarly , in recent years , the FTC has asserted claims based on “ unfair ” cybersecurity practices . But what happens when the government ’ s own cybersecurity has been compromised ? Can the government point fingers when it may have failed to meet its own standards ? The most recent SolarWinds cybersecurity attack raises these very questions .
On January 6 , 2021 , the Department of Justice confirmed that it had learned of a cybersecurity attack on government
and private contractors ’ servers . The attack involved the introduction of malicious codes into SolarWinds ’ software system , Orion , which spread to its clients and went undetected for several months . Although details are sparse and the widespread effect of the hacking is unknown , it is suspected that many SolarWinds users , including government agencies as well as private entities , have been affected . As such , the attack ’ s impact on government agencies and private contractors alike may influence the FTC ’ s desire to bring enforcement actions against the private entities .
The most famous invocation of the FTC ’ s enforcement authority in the cybersecurity context occurred back in 2013 , when the FTC launched an action against the Wyndham global hotel chain . In FTC v . Wyndham Worldwide Corp ., 1 the FTC claimed that the hotelier had exposed payment card information belonging to several hundred thousand consumers . Wyndham vigorously defended , arguing that the FTC neither had provided private entities with advance guidance on appropriate security practices nor had articulated which of Wyndham ’ s conduct constituted a breach of the FTC ’ s “ unfair practices ” standard . In what is now considered a landmark ruling in favor of the FTC ’ s enforcement authority in the cybersecurity arena , the Third Circuit held that the FTC could use the prohibition on “ unfair practices ” set forth in section 5 of the FTC Act to challenge private entities ’ alleged data security lapses .
The question now arises as to whether the FTC might rethink the advisability of pursuing cybersecurity breach enforcement actions against private entities caught up in the massive SolarWinds breach in light of the near simultaneous hacking
continued on page 57
Get Involved In A SeCtIon oR CoMMIttee ! joIn todAY In YouR MeMBeR pRofIle At HIllSBAR . CoM .
5 6 M A R - A P R 2 0 2 1 | H C B A L A W Y E R