A U.S. appeals court ruled on Monday that the Federal Trade Commission has the authority to sue corporations for failing to properly secure customer information from data breaches, giving the agency the green light to hold hotel operator Wyndham Worldwide accountable for failing to safeguard consumers' data against three hacks, from 2008 to 2010.
The decision of the 3rd Circuit Court of Appeals upholds the FTC's authority to take enforcement action against a company that has failed to protect consumer data from theft. As Congress has yet to pass a robust data privacy bill amid a barrage of breaches, this ruling bolsters the commission's initiative to protect customers in the marketplace using its law enforcement powers.
Monday's decision could also be good news for weary consumers in light of recent high-profile attacks against companies like Ashley Madison, the dating site for married individuals, whose user information was leaked last week and has been criticized for its lack of robust data security.
In 2012, the FTC sued Wyndham alleging the company misrepresented its pledge to protect the sensitive information of its customers. In its complaint, the agency asserted that over the span of two years Wyndham suffered three unauthorized intrusions that compromised the credit card numbers of 619,000 customers and led to more than $10.6 million in fraudulent charges. The FTC alleged that against Wyndham's stated policy, the hotel chain did not use reasonable means to protect consumer data, including strong passwords, encryption, and firewalls.
At the time the suit was filed, Wyndham challenged the FTC's broad authority to pursue it for "unfair and deceptive practices" in the realm of cybersecurity. Last year, a district court rejected Wyndham's motion to dismiss to the case, and on Monday the appeals court affirmed this decision, siding with the FTC, which has engaged in a sustained campaign to "make sure that companies live up to the promises they make about privacy and data security." The FTC has settled 53 cases in which the agency claims companies failed to maintain reasonable data security — among them, complaints against Snapchat, Twitter, and Credit Karma.
"Today's Third Circuit Court of Appeals decision reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data," FTC Chair Edith Ramirez said in a statement to BuzzFeed News. "It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."
Wyndham, for its part, maintains that the FTC is overreaching. "While we are disappointed by today's opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Michael Valentino, a spokesperson for Wyndham Worldwide, told BuzzFeed News.
It's worth noting that the court rejected Wyndham's argument that it did not have fair notice from the FTC in its decision today, dismissing as "alarmist" the company's analogy that allowing the commission to regulate cybersecurity was akin to "[regulating] the locks on hotel room doors."
"It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability," the court's opinion reads.
During a June speech in Hong Kong, Ramirez said she would urge Congress to pass comprehensive data security legislation, as the internet of things, data brokers, and targeted advertising usher in a new era of tech-enabled vulnerability.
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.