From: Lawfare
For my money, Paul is probably correct in pointing to some long-run consequences of this week’s FTC v. Wyndham ruling. (Among other things, the decision concluded—quite correctly, in my view—that the Federal Trade Commission may, by dint of the so-called “unfairness” prong of the Federal Trade Commission Act, sue private companies that maintain unsafe cybersecurity practices.) Here’s Paul, yesterday:
• The FTC does not, however, have to define adequate cybersecurity by rule or regulation or guidance — it may provide adequate notice of what the law requires throught its enforcement process. Prior consent decrees will need to be consulted to determine what is required.
• Whatever that standard turns out, in the end, to be it is now a minimum standard that corporate America must follow.
• I predict that the same standard will gradually be imported into other areas where FTC regulation does not extend.
Leave a Reply