Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

FTC Can Sue Firms for Failing to Protect User Data: Court

The U.S. Court of Appeals for the Third Circuit ruled on Monday that the Federal Trade Commission (FTC) can take action against companies that fail to take reasonable steps to protect their customers’ personal information.

The U.S. Court of Appeals for the Third Circuit ruled on Monday that the Federal Trade Commission (FTC) can take action against companies that fail to take reasonable steps to protect their customers’ personal information.

The ruling is related to FTC’s case against Wyndham Worldwide and three of its subsidiaries. The agency filed a complaint against Wyndham in 2012 after the hotel chain suffered three data breaches between 2008 and 2010 that allegedly resulted in the theft of data associated with hundreds of thousands of payment cards, fraudulent charges on customers’ accounts, and millions of dollars in fraud loss.

“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” stated FTC Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

The FTC claims Wyndham violated the FTC Act by misrepresenting the cyber security measures it had taken to protect its customers’ personal details. According to the agency, the company’s failure to safeguard the sensitive information resulted in “substantial consumer injury.”

For its part, Wyndham has defended itself from the accusations and challenged the FTC’s authority to take action against organizations with lax data security practices. Furthermore, the company noted that the FTC had not published any data security guidelines for organizations to follow. The hotel company filed a motion to dismiss the case, but the U.S. District Court for the District of New Jersey denied the motion on April 7, 2014.

Wyndham says it’s disappointed by the Third Circuit Court of Appeals’ ruling.

“While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. It is important to note that today’s opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded,” Wyndham told SecurityWeek.

“Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries,” the company added.

The hotel chain is not the only company targeted by the FTC over data security. The agency has settled more than 50 such cases so far, including with Twitter and Snapchat.

Related Reading: What Is “Good Enough” Security

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...