On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US.
In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.
The Philadelphia-based appeals court allowed the FTC's case against Wyndham to go forward in district court, and it noted that the FTC could use its authority to pursue “cybersecurity” cases under 15 U.S.C. Sec.45, part of a 1914 law that gives the FTC the power to prohibit “unfair or deceptive acts or practices in or affecting commerce.” The court also noted that the FTC didn't have to spell out the specific security practices that Wyndham fell short of to bring a case against the company. However, the FTC did that in this instance, claiming that Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network, among other things.
The FTC argued that “taken together, [Wyndham] unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” Although the US government has not mandated a level of security necessary for businesses to meet when they hold customer data, the FTC has been trying to push companies to invest in security. In January, the FTC spoke to Ars about tempering the ebullience surrounding the so-called “Internet of Things.” Recent hacks at big box retailers like Target and Home Depot as well as the Ashley Madison breach have added to the sense that information security is in an "anything goes" state in the US. According to Bloomberg, "In February, the Obama administration proposed empowering the FTC to require companies to abide by principles including transparency on data-collection activities, giving consumers the right to control personal information."
In a statement to Ars, FTC Chairwoman Edith Ramirez wrote, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” Wyndham has not responded to Ars' request for comment.
reader comments
62