US court confirms regulator's power to sue over data security failings

Out-Law News | 25 Aug 2015 | 2:40 pm | 1 min. read

The US Federal Trade Commission (FTC) has the power to prosecute businesses for data security failings, the US Court of Appeals has ruled.

The Court rejected claims from hotel business Wyndham Worldwide that the regulator had no authority to sue it.

Wyndham experienced three cyber attacks in 2008 and 2009, with hackers gaining access to the personal data of more than 600,000 Wyndham customers. Payment card data was stolen in the attack and more than $10 million worth of fraud was perpetuated in the aftermath of the attacks.

The FTC sued Wyndham over the attacks, accusing the company of engaging in "unfair cyber security practices" which it said "unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft", according to the judgment (47-page / 465KB PDF).

Amongst the allegations it levelled at Wyndham were that the company allowed its branded hotels to "store payment card information in clear readable text", that the company allowed "easily guessed passwords" to be used, and that it did not deploy firewalls. The FTC also claimed that Wyndham "failed to employ 'reasonable measures to detect and prevent unauthorized access' to its computer network or to 'conduct security investigations'" and that it also not did not follow "proper incident response procedures".

The FTC's legal action was brought under the Federal Trade Commission Act. The Act prohibits “unfair or deceptive acts or practices in or affecting commerce".

Wyndham argued that those provisions could not be applied in the context of data security and said that the FTC could therefore not bring an action against it. However, the Court of Appeals said the Act does allow the FTC to sue companies over data security failings. The judgment was welcomed by the regulator.

FTC chairwoman Edith Ramirez said the ruling "reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data".

"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," Ramirez said.