Court Rules FTC Can Take Action Against Companies For Shoddy Cybersecurity Practices

The U.S. Federal Trade Commission has the authority to bring down the hammer on companies that do not protect customer information, a court of appeal ruled on Monday.

The United States Court of Appeals for the Third Circuit defended the FTC’s 2012 court case against Wyndham Worldwide, a restaurant and timeshare operator.

The FTC recorded a grievance against Wyndham for three information breaches in 2008 and 2009 that saw at least US $10.6 million in deceptive charges accrued on customer credit cards lost in the breach.

The court of appeal ruling, supporting a 2014 district court judgment, says the FTC can hold organizations responsible for failing to apply sensible security practices.

Wyndham was one of two organizations that had opposed the FTC’s power to implement cybersecurity standards under the FTC Act’s deceptive and unfair practices provisions.

Opponents have said the agency has no noticeably defined cybersecurity principles for companies to adhere to.

Wyndham said it was upset by the judgment, but noted that the resolution was founded on its motion to do away with the case, requiring the court of appeal to take the FTC’s claims at “face value.”

Wyndham’s confrontation of the FTC will go on in court, the corporation said.

In a formal statement, the company said, “We continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security.” It went further to explain, “With the dramatic increase in the number and severity of cyber attacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”

The FTC said it was comfortable with the ruling of the court.

Edith Ramirez, agency Chairwoman, said that the court judgment “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data.” She added, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC blamed the hotel operator of sticking to cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

The organization’s hotels kept payment card data in plain, legible text, and it used effortlessly guessed passwords to reach its property supervision systems, the FTC said. The organization also failed to apply “readily available security measures” like firewalls to restrict access between the organization’s property management systems, the Internet and its corporate network the FTC alleged.

Wyndham’s confidentiality policy said the corporation protects customer data “using industry-standard practices,” the FTC claimed.

On appeal, Wyndham argued that its demeanor was not in line with the congressional description in the FTC Act of “unfair.” The corporation argued that its deeds were not unjust because it was the prey of criminals.

Stay Connected