WASHINGTON—A federal appeals court on Monday bolstered the Federal Trade Commission's power to police corporate cybersecurity, affirming the commission can bring cases against companies for failing to protect customer information.

The Philadelphia-based Third U.S. Circuit Court of Appeals ruled the FTC could proceed with a lawsuit alleging hotel chain Wyndham Worldwide Corp. bore some of the responsibility for three breaches from 2008 to 2010 in which hackers allegedly stole more than 619,000 credit- and debit-card numbers.

The case has been closely watched as a test of the FTC's powers. Lawmakers in Congress haven't passed comprehensive data-security legislation, and the FTC has sought to step into that void, bringing more than 50 data-security cases based on its authority to take action against unfair and deceptive business practices.

Most of the FTC's actions have resulted in settlements. Wyndham chose to contest the agency's case, setting the stage for courts to consider the ability of the FTC to use its traditional consumer-protection authority to address company data-security practices.

The FTC alleged Wyndham failed in several areas to implement reasonable safeguards, including by leaving consumer data unprotected by firewalls and using outdated software that couldn't receive security updates. It wants the company to tighten its data security and address any harms suffered by customers whose personal information was compromised.

Wyndham argued the FTC's campaign was government overreach in which the commission was seeking to hold businesses, rather than hackers, responsible for cybertheft. The company likened the lawsuit to the FTC suing a supermarket that was sloppy about sweeping up banana peels.

A Third Circuit three-judge panel disagreed in a unanimous ruling.

Wyndham's argument "invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability," Judge Thomas Ambro wrote in the court's 47-page opinion.

The panel also rejected Wyndham's argument that the FTC hadn't provided companies with guidance on what cybersecurity measures it considers reasonable and appropriate.

Judge Ambro said the company's case was "even weaker" because it had been hacked three times. "At least after the second attack, it should have been painfully clear to Wyndham" that a court could find its conduct potentially problematic, the judge said.

FTC Chairwoman Edith Ramirez said the decision "reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."

Wyndham didn't immediately respond to requests for comment.

Write to Brent Kendall at brent.kendall@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires

(END) Dow Jones Newswires

August 24, 2015 13:19 ET (17:19 GMT)

Copyright (c) 2015 Dow Jones & Company, Inc.
Wyndham Destinations (NYSE:WYND)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Wyndham Destinations Charts.
Wyndham Destinations (NYSE:WYND)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Wyndham Destinations Charts.