Key takeaways

• Ruling in a closely watched case, a federal appeals court has just upheld the authority of the U.S. Federal Trade Commission to bring an enforcement action against a company based on its allegedly deficient cybersecurity practices. Rejecting Wyndham Hotels’ argument that it lacked notice of what the FTC regarded as insufficient cybersecurity, the court pointed to the FTC’s publicly available complaints in past enforcement cases as well as other Commission materials.
• The decision underscores the importance of keeping up with FTC guidance on cybersecurity practices, such as the closing letter the FTC recently issued to Morgan Stanley. There the Commission advised that it would not take enforcement action against Morgan Stanley despite an insider data breach that resulted in the exposure of customer information.
• Organizations would do well to assess their own practices for combating insider data breach risk, a/k/a “Snowden risk,” in light of the factors that caused the FTC to spare Morgan Stanley. These included the company’s implementation of “comprehensive policies” to protect against employee theft of customer personal information; its adoption of technical measures to limit access to sensitive information and to monitor data transfers by employees; and its vigorous response to the breach.