The FTC has won a major legal battle that could allow to prosecute companies that fail to adequately protect user data.
The U.S. Court of Appeals for the Third Circuit ruled Monday in favor of the Federal Trade Commission in Wyndham v. FTC, a case that arose after the FTC sued Wyndham Hotels & Resorts for using weak security measures that made it a sitting duck for hackers.
Wyndham had challenged the agency’s authority to prosecute it for that security failure, but on Monday, all three judges on the appeals court’s panel decided that the FTC indeed had that authority. A Wyndham spokesman told Reuters that the company was reviewing the ruling and did not suggest how it would respond.
Unless Wyndham can secure a review of the decision by the U.S. Supreme Court, Monday’s ruling effectively solidifies the FTC’s ability to prosecute companies that don’t do enough to keep customer data out of the hands of hackers.
Marc Rotenberg, president and executive director of the Electronic Privacy Information Center (EPIC), praised the decision and told the Daily Dot in an email that the FTC played “a critical role in safeguarding consumer privacy in America.” He also pointed to a key passage in the ruling, in which the court wrote:
A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
Although hackers have increasingly targeted government agencies rich with records, like the Office of Personnel Management (OPM) and the Department of Veterans Affairs, they also continue to go after major corporations with vast troves of private data.
Russian hackers penetrated Wyndham’s systems in three separate attacks in 2008 and 2009, stealing more than 600,000 credit-card numbers and racking up more than $10 million in fraudulent charges. The FTC sued the hotel chain for failing to live up to its data-privacy responsibilities.
In court, Wyndham argued that, if the FTC could sue companies for not using strong enough security measures, it could essentially “regulate the locks on hotel room doors.” But the court dismissed that rhetoric about overly broad enforcement powers as “alarmist to say the least.”
Julie Brill, a Democratic commissioner on FTC, tweeted about the ruling and called it “big news.”
Big news: FTC wins Third Circuit Wyndham appeal. Inadequate data security can be unfair under FTC Act & companies have adequate notice.
— Julie Brill (@JulieSBrill) August 24, 2015
Update 12:09pm CT, Aug. 24: Added comment from EPIC’s Marc Rotenberg.
H/T Reuters | Photo via Eric Fischer/Flickr (CC BY 2.0)