FTC Data Security Enforcement Actions Held Legal

    Sep 08, 2015

    A federal appeals court on August 24 issued a ruling that upheld the Federal Trade Commission’s (FTC’s) authority to bring enforcement actions against companies for failure to implement effective data security practices.

    The U.S. Court of Appeals for the Third Circuit unanimously ruled that the FTC’s use of its authority under Section 5 of the Federal Trade Commission Act against Wyndham Hotels and Resorts LLC provided “fair notice” because the agency’s various consent decrees and court complaints provided sufficient information as to what constituted appropriate data security practices. 

    “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said FTC Chairwoman Edith Ramirez in a press release.  “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

    Section 5 of the FTC Act gives the FTC broad authority to investigate “unfair and deceptive acts and practices in or affecting commerce.”  The FTC began using this authority in 2005 to initiate investigations against companies for deficient cybersecurity safeguards and for failing to protect consumer data against hackers.

    The FTC filed a suit against Wyndham in June 2012 after hackers successfully accessed the company computer systems three times in 2008 and 2009, and the company decided not to settle after the agency initiated an enforcement action.  The FTC’s suit alleged that the company engaged in unfair cybersecurity practices “that led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.”

    The company in turn argued that the FTC exceeded its statutory authority to regulate data security and failed to provide specific rules on what constitutes “reasonable” data security standards.

    The Court, however, disagreed, arguing that “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profit of their business.”

    The Court’s opinion notes that the FTC issued a guidebook in 2007 that describes a checklist of practices that constitute a sound data security plan, many of which were alleged in the Wyndham investigation.  This includes, according to the opinion, recommendations that companies encrypt sensitive information stored on computer networks; review the websites of software vendors for new vulnerabilities; use a firewall to protect against hacker attacks; permit only trusted employees with a legitimate business need to access computer networks; require the use of strong passwords; and implement a data breach response plan that immediately addresses security breaches, vulnerabilities, and threats.

    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International