Court says FTC can punish firms for lax security

The U.S. Court of Appeals for the Third Circuit found that the FTC is within its rights to bring suit against firms for lax information security practices that harm consumers.
The U.S. Court of Appeals for the Third Circuit found that the FTC is within its rights to bring suit against firms for lax information security practices that harm consumers.

In-brief: the U.S. Federal Trade Commission has the authority to punish firms for failing to protect their customers data, a U.S. Federal appeals court ruled on Monday, in a clear victory for the Commission as it seeks to regulate information security practices within private sector firms.

 

The U.S. Federal Trade Commission has the authority to punish firms for failing to protect their customers data, a U.S. Federal appeals court ruled on Monday.

The decision by the U.S. Court of Appeals for the Third Circuit found that the FTC was within its rights to sue the hotel operator Wyndham Worldwide after three data breaches at the chain in 2008 and 2009 resulted in fraudulent charges to Wyndham customers totaling some $10.6 million.  The Commission acted within its statutory authority in fining the company for poor cybersecurity practices.

The ruling (PDF available here) is likely to strengthen the hand of the FTC and the federal government in pushing private sector firms to strengthen cyber security measures, affirming information security protections with other kinds fair business practices governed by the FTC.

[Read more Security Ledger coverage of the FTC here.]

The FTC had alleged in a 2012 case that Wyndham had engaged in “unfair cybersecurity practices that “unreasonably and unnecessarily exposed consumers personal data to unauthorized access and theft.” Among the failings: Wyndham had stored customers’ payment card data in clear text and regularly allowed the use of easily guessed passwords for accessing property management system. The company also maintained a flat network, with few impediments to moving between the Internet, Wyndham’s corporate network and property management systems for its various hotels and time share apartments.

FTC Commissioner Julie Brill will speak at the Sept. 10th Security of Things Forum in Cambridge, MA. Click the image to reserve your place!
FTC Commissioner Julie Brill will speak at the Sept. 10th Security of Things Forum in Cambridge, MA. Click the image to reserve your place!

Wyndham had appealed that case, arguing – in essence – that lax cyber security practices cleared the statutory hurdle for “unfairness” that the Commission was set up to police. At one point, the hotel chain cited a Webster’s dictionary definition of “unfair,” arguing that it’s practices weren’t unfair since they were not inequitable or “marked by injustice, partiality, or deception,” as defined by Webster. That prompted this rebuke from the Third Circuit Court of Appeals:

“Whether these are requirements of an unfairness claim makes little difference here. A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Federal Trade Commission has been at the forefront in addressing privacy and security concerns brought about by rapid technology change and adoption. In March, the Commission announced that  it was creating a new Office of Technology Research and Investigation to expand the research into areas such as privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, big data, and the Internet of Things.

One noted legal expert said the ruling was “hugely important” in affirming the FTC’s right to address information security practices at U.S. companies.

“What was at issue was the FTC’s ability to engage in enforcement activity around information security conduct generally,” said Andrea Matwyshyn, a law professor at Northeastern University and Microsoft Visiting Professor at the Center for Information Technology Policy at Princeton University. “This ruling will validate the (FTC’s) strategy in terms of security enforcement to this point and make them feel more comfortable bringing enforcement cases against companies that fail to enact reasonable privacy and security practices,” she said.

The Appeals Court also used the ruling to lay out the salient facts of Wyndham’s case and the company’s loss of control over customer information. General counsel within companies will likely look to that as a roadmap to the kinds of issues that are clearly under the purview of the FTC to police, Matwyshyn said.