A U.S. appeals court on Monday said Wyndham Worldwide Corp. must defend a lawsuit in which it's accused of failing to secure its computers from Russian hackers.
The case will be a test of regulators' authority to police companies' cybersecurity practices.
The court in Philadelphia rejected the hotel chain's bid to end the Federal Trade Commission case.
Wyndham argued at a March 3 hearing that the company, itself a victim, was being penalized unfairly. The trade commission said it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches.
Wyndham argued that if the Federal Trade Commission's authority extends that far, the agency has the authority to "regulate the locks on hotel room doors."
The court called that argument "alarmist to say the least."
"And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability," the court said in its opinion.
The Federal Trade Commission sued Wyndham after three attacks on the company's computer network in 2008 and 2009.
Wyndham hired five groups of consultants after the attacks, the chain's lawyers said. All failed to uncover how the hackers breached the system.
The breaches compromised more than 619,000 card accounts, and many of those numbers were exported to a domain registered in Russia. Fraudulent charges on accounts led to more than $10.6 million in losses.
In February, the Obama administration proposed empowering the Federal Trade Commission to require companies to abide by principles including transparency on data-collection activities, which would give consumers the right to control personal information.
The case is FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the 3rd Circuit (Philadelphia).
Business on 08/25/2015