Security Experts:

FTC Can Sue Firms for Failing to Protect User Data: Court

The U.S. Court of Appeals for the Third Circuit ruled on Monday that the Federal Trade Commission (FTC) can take action against companies that fail to take reasonable steps to protect their customers’ personal information.

The ruling is related to FTC’s case against Wyndham Worldwide and three of its subsidiaries. The agency filed a complaint against Wyndham in 2012 after the hotel chain suffered three data breaches between 2008 and 2010 that allegedly resulted in the theft of data associated with hundreds of thousands of payment cards, fraudulent charges on customers’ accounts, and millions of dollars in fraud loss.

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” stated FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC claims Wyndham violated the FTC Act by misrepresenting the cyber security measures it had taken to protect its customers’ personal details. According to the agency, the company’s failure to safeguard the sensitive information resulted in “substantial consumer injury.”

For its part, Wyndham has defended itself from the accusations and challenged the FTC's authority to take action against organizations with lax data security practices. Furthermore, the company noted that the FTC had not published any data security guidelines for organizations to follow. The hotel company filed a motion to dismiss the case, but the U.S. District Court for the District of New Jersey denied the motion on April 7, 2014.

Wyndham says it’s disappointed by the Third Circuit Court of Appeals’ ruling.

“While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. It is important to note that today’s opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded,” Wyndham told SecurityWeek.

“Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries,” the company added.

The hotel chain is not the only company targeted by the FTC over data security. The agency has settled more than 50 such cases so far, including with Twitter and Snapchat.

Related Reading: What Is "Good Enough" Security

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.