The FTC can regulate companies with bad cybersecurity, court rules

Between 2008 and 2009, hackers broke into Wyndham’s system and sniped credit card and personal info from some 619,000 customers. The FTC’s rather sensical argument for Wyndham’s failure was that the hospitality company “unreasonably and unnecessarily” left its customer information available to hackers.

But that could change now that a federal appeals court has upheld the Federal Trade Commission’s authority to enforce data security standards.

Representatives of Wyndham and the FTC didn’t immediately respond to requests for comment on the appeals court ruling. But before the case proceeded, Wyndham appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. “Wyndham then discovered “memory- scraping malware” used in the previous attack on more than thirty hotels” computer systems.

A company’s action can be unfair if it is likely to cause customer injury, and the injuries caused by a third party were foreseeable, he wrote.

The Electronic Privacy Information Center (EPIC) filed an amicus brief in the case, joined by leading technical experts and legal scholars, defending the FTC’s “critical role in safeguarding consumer privacy and promoting stronger security standards”.

The panel also rejected Wyndham’s argument that the FTC hadn’t provided companies with guidance on what cybersecurity measures it considers reasonable and appropriate. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded.

The case has been closely watched as a test of the FTC’s powers. Wyndham argued that that the company was also a victim of the hackings and was being penalized unfairly, Bloomberg said. Lawmakers in Congress haven’t passed comprehensive data-security legislation, and the FTC has sought to step into that void, bringing more than 50 data-security cases based on its authority to take action against unfair and deceptive business practices. Now it’s Washington’s most powerful technology cop.]. “Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security”, says Hofnagle, describing that avoided outcome as a “disaster” for the agency. As data breaches increasingly become a source of real suffering for consumers-see the reports of suicides that have already resulted from Ashley Madison’s scandalous data spill-the agency’s mandate more important than ever.

The same holds true for companies that don’t protect user data.