Federal Court Says FTC Has Power to Enforce Cybersecurity

The ruling serves as a wake-up call for enterprises, pressuring them to ensure their cybersecurity controls are effective.

WASHINGTON – A U.S. appeals court said the Federal Trade Commission (FTC) has authority to regulate corporate cybersecurity, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp. of failing to properly safeguard consumers’ information.

RELATED: PSA Security Network Forges Vendor Partnerships to Advance Cybersecurity

The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.

The FTC wants to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from more than 619,000 consumers, leading to over $10.6 million in fraudulent charges.

RELATED: Confronting the Cybersecurity Challenge

Noting the FTC’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, Circuit Judge Thomas Ambro said Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.’”

Wyndham brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge.

A company spokesman, Michael Valentino, said “safeguarding personal information remains a top priority” for the Parsippany, New Jersey-based company. “We believe the facts will show the FTC’s allegations are unfounded,” he added.

FTC Chairwoman Edith Ramirez welcomed the decision.

“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.

Congress has not adopted wide-ranging legislation governing data security, a growing concern after high-profile breaches such as at retailer Target Corp., infidelity Web site Ashley Madison, and even U.S. government databases.

In a test of its power to fill the void, the FTC sued Wyndham in June 2012, claiming its computers “unreasonably and unnecessarily” exposed consumer data to the risk of theft.

Wyndham accused the FTC of overreaching, but U.S. District Judge Esther Salas in Newark, New Jersey, let the case proceed. Affirming that ruling, Ambro rejected Wyndham’s argument that it lacked “fair notice” about what the FTC could require.

He also rejected what he called Wyndham’s “alarmist” argument that letting the FTC regulate its conduct could give the agency effective authority to regulate hotel room door locks, or sue supermarkets that fail to sweep up banana peels.

“It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” Ambro wrote.

The case is Federal Trade Commission v Wyndham Worldwide Corp. et al, 3rd U.S. Circuit Court of Appeals, No. 14-3514.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Get Our Newsletters