In-brief: the U.S. Federal Trade Commission has the authority to punish firms for failing to protect their customers data, a U.S. Federal appeals court ruled on Monday, in a clear victory for the Commission as it seeks to regulate information security practices within private sector firms.
The U.S. Federal Trade Commission has the authority to punish firms for failing to protect their customers data, a U.S. Federal appeals court ruled on Monday.
The decision by the U.S. Court of Appeals for the Third Circuit found that the FTC was within its rights to sue the hotel operator Wyndham Worldwide after three data breaches at the chain in 2008 and 2009 resulted in fraudulent charges to Wyndham customers totaling some $10.6 million. The Commission acted within its statutory authority in fining the company for poor cybersecurity practices.
The ruling (PDF available here) is likely to strengthen the hand of the FTC and the federal government in pushing private sector firms to strengthen cyber security measures, affirming information security protections with other kinds fair business practices governed by the FTC.
[Read more Security Ledger coverage of the FTC here.]
The FTC had alleged in a 2012 case that Wyndham had engaged in “unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers personal data to unauthorized access and theft.” Among the failings: Wyndham had stored customers’ payment card data in clear text and regularly allowed the use of easily guessed passwords for accessing property management system. The company also maintained a flat network, with few impediments to moving between the Internet, Wyndham’s corporate network and property management systems for its various hotels and time share apartments.
Wyndham had appealed that case, arguing – in essence – that lax cyber security practices cleared the statutory hurdle for “unfairness” that the Commission was set up to police. At one point, the hotel chain cited a Webster’s dictionary definition of “unfair,” arguing that it’s practices weren’t unfair since they were not inequitable or “marked by injustice, partiality, or deception,” as defined by Webster. That prompted this rebuke from the Third Circuit Court of Appeals:
The Federal Trade Commission has been at the forefront in addressing privacy and security concerns brought about by rapid technology change and adoption. In March, the Commission announced that it was creating a new Office of Technology Research and Investigation to expand the research into areas such as privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.
One noted legal expert said the ruling was “hugely important” in affirming the FTC’s right to address information security practices at U.S. companies.
“What was at issue was the FTC’s ability to engage in enforcement activity around information security conduct generally,” said Andrea Matwyshyn, a law professor at Northeastern University and Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University. “This ruling will validate the (FTC’s) strategy in terms of security enforcement to this point and make them feel more comfortable bringing enforcement cases against companies that fail to enact reasonable privacy and security practices,” she said.
The Appeals Court also used the ruling to lay out the salient facts of Wyndham’s case and the company’s loss of control over customer information. General counsel within companies will likely look to that as a roadmap to the kinds of issues that are clearly under the purview of the FTC to police, Matwyshyn said.