A federal appeals court on August 24 issued a ruling that upheld the Federal Trade Commission’s (FTC’s) authority to bring enforcement actions against companies for failure to implement effective data security practices.
The U.S. Court of Appeals for the Third Circuit unanimously ruled that the FTC’s use of its authority under Section 5 of the Federal Trade Commission Act against Wyndham Hotels and Resorts LLC provided “fair notice” because the agency’s various consent decrees and court complaints provided sufficient information as to what constituted appropriate data security practices.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez in a press release. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Section 5 of the FTC Act gives the FTC broad authority to investigate “unfair and deceptive acts and practices in or affecting commerce.” The FTC began using this authority in 2005 to initiate investigations against companies for deficient cybersecurity safeguards and for failing to protect consumer data against hackers.
The FTC filed a suit against Wyndham in June 2012 after hackers successfully accessed the company computer systems three times in 2008 and 2009, and the company decided not to settle after the agency initiated an enforcement action. The FTC’s suit alleged that the company engaged in unfair cybersecurity practices “that led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”
The company in turn argued that the FTC exceeded its statutory authority to regulate data security and failed to provide specific rules on what constitutes “reasonable” data security standards.
The Court’s opinion notes that the FTC issued a guidebook in 2007 that describes a checklist of practices that constitute a sound data security plan, many of which were alleged in the Wyndham investigation. This includes, according to the opinion, recommendations that companies encrypt sensitive information stored on computer networks; review the websites of software vendors for new vulnerabilities; use a firewall to protect against hacker attacks; permit only trusted employees with a legitimate business need to access computer networks; require the use of strong passwords; and implement a data breach response plan that immediately addresses security breaches, vulnerabilities, and threats.