Following a series of cyber “hacks” of computer systems at Wyndham Worldwide Corporation, the FTC launched a legal battle against Wyndham and several of its subsidiaries which essentially seeks to hold Wyndham (not the actual hackers) responsible for the data breaches. In a series of crafty wordsmanship and hypothetical comparisons, Wyndham claimed in court papers that the suit is “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided” while the FTC has responded that “Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”
Although reality is almost certainly somewhere in between these two competing anecdotes, the very existence of this lawsuit begs the question of just how far this federal agency can stretch its consumer protection powers without crossing the boundary which separates its authority from that of Congress. Ultimately, the case is one which asks whether Wyndham took adequate steps to secure and protect its customers’ information. For now, that question is left to Judge Esther Salas of the U.S. District Court in Newark, NJ.
But the questions that should be asked are ones which identify (1) who gets to set the standard for corporate cybersecurity practices, and (2) who gets to determine when “standard” is no longer enough.
From time to time, various articles related to general business operations catch my eye. Today is one of those times. I recently heard that the fifth and most recent version of the Diagnostic and Statistical Manual of Mental Disorders (“DSM”) was set to be released by the American Psychiatric Association next week, so a related article by Hunton & Williams under the title “Employers Beware” was certainly one I wanted to read. According to that article, the EEOC is expected to embrace the DSM-5 despite criticisms made by notable physicians. Those criticisms raise some serious concerns for employers, including an expanded list of impairments and disabilities for EEOC purposes, an increase in the scope of ADA and FMLA protections, and an increase in the cost of short-term disability and workers’ compensation insurance. These predicted results, along with the already impending ObamaCare law, highlight the importance of taking time to evaluate existing policies and procedures to ensure compliance with the litany of new regulations which are changing the landscape of conducting business.
A few weeks ago I posted here and published an article in the @FWBusinessPress about the proposed legislation to adopt a version of the Uniform Trade Secrets Act in Texas. I am happy to now report that the Legislature and Governor Rick Perry have made that proposal a reality. Late last week, Gov. Perry signed the Texas Trade Secrets Act into law under the Texas Civil Practice and Remedies Code to go into effect in September of this year. The Act contains some modifications to the Uniform Act, but (more importantly) it provides the much-needed clarity and modernization that the trade secret common law and decentralized statutes were lacking. According to the legislative bill analysis, the Act “adopts a modified version of the UTSA, which provides consistent and predictable statutory language for trade secret protection, updates the definition of “trade secret” to reflect current business practices and technologies, and clarifies that certain business practices do not constitute misappropriation of trade secrets. [The Act] also provides easily applied standards for injunctive relief and offers an avenue for recovering attorney’s fees against willful and malicious misappropriators of trade secrets, which is currently done through the Texas Theft Liability Act. [The Act also] updates Texas law to represent modern governance of trade secrets around the country.” Always good to witness progress in action!