The Federal Trade Commission (FTC) has the authority to sue companies that have weak cybersecurity, based on a ruling by the U.S. Court of Appeals for the Third Circuit.
On Monday, Aug. 24, the court adjudged that the FTC can take enforcement action against establishments that deploy inadequate precautionary IT security practices and, as a result, are unable to avert a cyber breach.
The ruling comes as a result of the legal battle waging between Wyndham Worldwide Corporation and the FTC.
In 2008 and 2009, Wyndham, which manages several hotels in the U.S., suffered three cyber attacks to its network. This resulted in the payment card data of over 619,000 customers being compromised and in a $10.6 million loss owing to fraudulent activities.
In 2012, the FTC took Wyndham to court for failure to safeguard its customers against hackers. However, the hotel operator countered the lawsuit by asserting that it too was a victim of the cyber attack and, therefore, the FTC should not sue it for the breach.
In its lawsuit, the FTC also alleged that Wyndham's cybersecurity practices were unfair and that the operator's privacy policy was misguiding consumers. According to the FTC, Wyndham did not encrypt data or peruse firewalls, which was opposing the latter's policies.
The current ruling by the U.S. Court of Appeals for the Third Circuit upholds a ruling in April 2014, which enabled the case to proceed. In the Philadelphia court, Judge Thomas L. Ambro noted that Wyndham, which has brands such as Super 8, Howard Johnson, Days Inn and Travelodge, failed to demonstrate that the claimed conduct fell "outside the plain meaning of 'unfair.'"
Ambro also rejected the hotel operator's "alarmist" appeal that allowing the FTC to regulate Wyndham's conduct would give the former the power to control things, such as locks of hotel rooms, or even sue supermarkets that were unable to sweep banana peels.
"Today's Third Circuit Court of Appeals decision reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," noted Edith Ramirez, FTC's Chairwoman.
Photo: Brian Turner | Flickr