Court Affirms FTC Authority Over Data-Security Practices
August 24 2015 - 1:34PM
Dow Jones News
WASHINGTON—A federal appeals court on Monday bolstered the
Federal Trade Commission's power to police corporate cybersecurity,
affirming the commission can bring cases against companies for
failing to protect customer information.
The Philadelphia-based Third U.S. Circuit Court of Appeals ruled
the FTC could proceed with a lawsuit alleging hotel chain Wyndham
Worldwide Corp. bore some of the responsibility for three breaches
from 2008 to 2010 in which hackers allegedly stole more than
619,000 credit- and debit-card numbers.
The case has been closely watched as a test of the FTC's powers.
Lawmakers in Congress haven't passed comprehensive data-security
legislation, and the FTC has sought to step into that void,
bringing more than 50 data-security cases based on its authority to
take action against unfair and deceptive business practices.
Most of the FTC's actions have resulted in settlements. Wyndham
chose to contest the agency's case, setting the stage for courts to
consider the ability of the FTC to use its traditional
consumer-protection authority to address company data-security
practices.
The FTC alleged Wyndham failed in several areas to implement
reasonable safeguards, including by leaving consumer data
unprotected by firewalls and using outdated software that couldn't
receive security updates. It wants the company to tighten its data
security and address any harms suffered by customers whose personal
information was compromised.
Wyndham argued the FTC's campaign was government overreach in
which the commission was seeking to hold businesses, rather than
hackers, responsible for cybertheft. The company likened the
lawsuit to the FTC suing a supermarket that was sloppy about
sweeping up banana peels.
A Third Circuit three-judge panel disagreed in a unanimous
ruling.
Wyndham's argument "invites the tart retort that, were Wyndham a
supermarket, leaving so many banana peels all over the place that
619,000 customers fall hardly suggests it should be immune from
liability," Judge Thomas Ambro wrote in the court's 47-page
opinion.
The panel also rejected Wyndham's argument that the FTC hadn't
provided companies with guidance on what cybersecurity measures it
considers reasonable and appropriate.
Judge Ambro said the company's case was "even weaker" because it
had been hacked three times. "At least after the second attack, it
should have been painfully clear to Wyndham" that a court could
find its conduct potentially problematic, the judge said.
FTC Chairwoman Edith Ramirez said the decision "reaffirms the
FTC's authority to hold companies accountable for failing to
safeguard consumer data. It is not only appropriate, but critical,
that the FTC has the ability to take action on behalf of consumers
when companies fail to take reasonable steps to secure sensitive
consumer information."
Wyndham didn't immediately respond to requests for comment.
Write to Brent Kendall at brent.kendall@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires
(END) Dow Jones Newswires
August 24, 2015 13:19 ET (17:19 GMT)
Copyright (c) 2015 Dow Jones & Company, Inc.
Wyndham Destinations (NYSE:WYND)
Historical Stock Chart
From Mar 2024 to Apr 2024
Wyndham Destinations (NYSE:WYND)
Historical Stock Chart
From Apr 2023 to Apr 2024