According to an appeals court ruling, the U.S. Federal Trade Commission has the right to take action against any company that fails to protect customer data.
The U.S. Court of Appeals for the Third Circuit upheld the FTC’s 2012 lawsuit against Wyndham Worldwide, a hotel and time-share operator. Three data breaches in 2008 and 2009 led to the FTC to file a complaint against Wyndham. The breaches ended up with more than $10.6 million in fraudulent charges.
A 2014 district court decision establishes that the FTC can hold companies responsible for not following proper procedures in security practices.
There was also another company, along with Wyndham, that challenged the FTC’s authority in enforcing cybersecurity standards under the FTC Act. Critics have claimed that the agency doesn’t provide specific cybersecurity standards for companies.
Wyndham claims the decision to take the FTC’s side was based only on its motion to dismiss the case. The company claims they will continue challenging the FTC in court.
The company said in a statement, “We continue to contend the FTC lacks the authority to pursue this type of case against American businesses and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. With the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
The FTC was pleased with the court ruling.
Agency Chairwoman Edith Ramirez explained in a statement, “Reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The FTC blamed the hotel operator for using cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”
The FTC claimed that the company’s hotels kept payment card information in clear, legible text, as well as using extremely easily guessed passwords to get into its property management systems. The FTC also claims the company failed to use “readily available security measures”, for example, firewalls, that limit access between the company’s property management systems, corporate network, and their Internet. The FTC said that Wyndham’s privacy policy states the company safeguards customer data “using industry-standard practices.
Wyndham argued that its conduct didn’t fit the definition of the FTC Act of “unfair” The company claimed they were the victim of the criminals. Appeals court Judge Thomas Ambro rejected the argument and wrote in his decision that the company “offers no reasoning or authority for this principle, and we can think of none ourselves.” He also wrote that a company’s action can be unfair if it is likely to cause injury to customers, and the injuries caused by a third party were foreseeable.
Wyndham’s argument that the FTC’s cybersecurity rules are too vague was also rejected by Ambro. He wrote. the unfairness standard in the FTC Act focuses on the substantial injury to consumers that they cannot reasonably avoid themselves. He also added, “While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis.”
In my opinion, I think the courts ruling is acceptable. I believe customers valuable information should be highly protected. A company should take precaution in protecting their customers and the responsibility should fall back on the company who fails to protect them.
Content originally published here
Sharing this story on Social Media? Use these hashtags! #CyberSecurity #WyndhamWorldwide #data
