Authority of FTC Over Cyber Security and Data Breaches Upheld

Philadelphia, PAA recent decision by a US appeals court reveals a surprising source for the enforcement of cyber security: the US Federal Trade Commission (FTC). In the absence of any concrete enforcement coming out of the US Congress, it appears that authority given to the FTC 101 years ago qualifies the agency to ride shotgun over the seemingly unstoppable data breaches. It provides a bit of solace to consumers blindsided by hacks and identity theft.

The lawsuit serving as fodder for this revelation is Federal Trade Commission v. Wyndham Worldwide Corp et al, 3rd US Circuit Court of Appeals, Case No. 14-3514.

Wyndham Worldwide Corp (Wyndham) is an operator of hotels and motels with brands well known by Americans and global travelers: Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge. The lawsuit against Wyndham by the FTC arose from a series of hacks into Wyndham’s computer system in 2008 and 2009. The breaches resulted in the theft of credit card information and other personal data from more than 619,000 consumers who, as a result, had to collectively deal with in excess of $10.6 million in fraudulent charges stemming from the data breach.

Wyndham, in 2012, found itself a target for a data breach lawsuit brought by the FTC, which accused Wyndham of maintaining computer systems that unreasonably and unnecessarily exposed consumer data to risk for theft.

Wyndham attempted to have the case dismissed, suggesting that the FTC was reaching beyond its mandate in launching the lawsuit, but Wyndham’s petition was rejected by a US District Court. Wyndham appealed. In August, the 3rd US Circuit Court of Appeals in Philadelphia upheld the original ruling from April of last year in a unanimous decision.

Circuit Judge Thomas Ambro, who penned the decision, noted that a law originally passed in 1914 provided the FTC with broad authority to protect the consumer from unfair and deceptive trade practices - and those practices can embrace the lack of adequate security systems required to protect the private and sensitive information of consumers.

Wyndham, or so it has been reported, argued that giving the FTC the power to regulate cyber security in this fashion would be akin to FTC authority over hotel room door locks or supermarkets that allow banana peels to accumulate on the floor.

Ambro would have none of that argument. “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” Ambro wrote, who described Wyndham’s argument somewhat “alarmist.”

Industry watchers have been following this case with interest, given the inability of Congress thus far to mount any meaningful cyber-policing legislation. The FTC will be under the microscope now going forward with this vote of confidence from the courts within a situation that marries the old and the new: the policing of cyber security on behalf of consumers within a data environment that is forever changing, through the mandate of authority bestowed upon the FTC over a hundred years ago.