FTC Can Sue for Misrepresented Cybersecurity
Posted August 27, 2015
Third Circuit Court of Appeals Rules Federal Trade Commission Has Authority to Sue Corporations for Failing to Secure Customer Data as Promised
Wyndham Worldwide, parent company of several hotel chains, time share properties and more, was the target of three hacks between 2008 and 2010. In those hacks, over half a million Wyndham customers had their credit cards compromised. The Federal Trade Commission then sued Wyndham for failing to do enough to safeguard their customers’ data.
Wyndham believes the Federal Trade Commission lacks the authority to sue it for lax cybersecurity. However, the Third Circuit Court of Appeals says Wyndham’s wrong and the FTC has a right.
In a piece on buzzfeed.com which draws from material by the Associated Press’s Alex Brandon, Hamza Shaban details the decision which could have far-reaching implications for customers of other breach victims from the Ashley Madison “cheaters” dating site to Home Depot et al. The following has been excerpted from Shaban’s buzzfeed.com story and edited to fit our format. You may find his complete article by clicking on this link.
A misrepresentation: the heart of the matter
In 2012, the FTC sued Wyndham alleging the company misrepresented cybersecurity and its pledge to protect the sensitive information of its customers. In its complaint, the agency asserted that over the span of two years Wyndham suffered three unauthorized intrusions that compromised the credit card numbers of 619,000 customers and led to more than $10.6 million in fraudulent charges. The FTC alleged that against Wyndham’s stated policy, the hotel chain did not use reasonable means to protect consumer data, including strong passwords, encryption, and firewalls.
Did the FTC have the authority to sue?
At the time the suit was filed, Wyndham challenged the FTC’s broad authority to pursue it for “unfair and deceptive practices” in the realm of cybersecurity.
Take them at their word
[The FTC] engaged in a sustained campaign to “make sure that companies live up to the promises they make about privacy and data security.” The FTC has settled 53 cases in which the agency claims companies failed to maintain reasonable data security — among them, complaints against Snapchat, Twitter, and Credit Karma.
FTC Chair Edith Ramirez
“[The] Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Locks on hotel rooms and a banana peel retort
It’s worth noting that the court rejected Wyndham’s argument that it did not have fair notice from the FTC in its decision today, dismissing as “alarmist” the company’s analogy that allowing the commission to regulate cybersecurity was akin to “[regulating] the locks on hotel room doors.”
“It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” the court’s opinion reads.
FTC Chair pushes for new legislation
During a June speech in Hong Kong, Ramirez said she would urge Congress to pass comprehensive data security legislation, as the [Internet of Things], data brokers, and targeted advertising usher in a new era of tech-enabled vulnerability.