“ those Who LiVe in gLass houses …” soLarWinDs Data Breach
Technology Section
continued from page 56
of related governmental agencies . One of the risks for the FTC in initiating such enforcement actions is that these entities might assert the FTC is effectively estopped because the government ’ s own cybersecurity practices were equally unfair . Alternatively , defending entities might argue the SolarWinds breach demonstrates that all victims of the attack — both governmental and private — followed “ industry standards ” and thus engaged in cybersecurity practices that are reasonable and fair .
In the years following Wyndham Worldwide , courts have appeared more amenable to holding governmental entities accountable for their own security lapses . In In re : U . S . Office of Personnel Management Data Security Breach Litigation ( OPM ), the D . C . Circuit Court allowed a suit to proceed against the government for leaving “ the door to its records unlocked ” by using an outdated software that allowed hackers to access as many as 22 million government employee records . 2 Until SolarWinds , the OPM attack was the largest breach of government data in U . S . history .
It will be interesting to see whether , and if so , how the FTC responds to the latest SolarWinds attack . While the government ’ s own vulnerability to the SolarWinds intrusion could make the FTC reluctant to pursue enforcement actions against impacted private companies for “ unfair ” security practices , the FTC ’ s failure to initiate enforcement actions could itself appear “ unfair .” Stay tuned for further developments . n
1
799 F . 3d 236 , 240 ( 3d Cir . 2015 ).
2
928 F . 3d 42 , 63 ( D . C . Cir . 2019 ).
Authors : Masiel Pelegrino Sarduy and Jeffrey Newsome - Phelps Dunbar LLP
M A R - A P R 2 0 2 1 | H C B A L A W Y E R
5 7