In a unanimous decision on Monday, the Third U.S. Circuit Court of Appeals ruled the Federal Trade Commission (FTC) has the authority to police corporate cybersecurity. The decision – stemming from the lawsuit FTC v Wyndham Worldwide Corp et al – affirms the FTC’s right to bring cases against companies that it believes are failing to protect customer information.
The FTC sued Wyndham in June of 2012, alleging it “unreasonably and unnecessarily” exposed consumer data. The commission is specifically claiming that Wyndham should be held accountable for three breaches in 2008 and 2009 in which hackers broke into the hotel’s computer system and stole credit card information from more than 619,000 people. The compromised data was used to run up over $10.6 million in fraudulent charges, with many of the stolen card numbers exported to a domain registered in Russia.
Wyndham, which operates brands like Howard Johnson, Days Inn, Super 8, Ramada and Travelodge, continues to argue the suit is an example of government overreach. “Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded,” Michael Valentino, a Wyndham spokesperson, said in a statement. “Safeguarding personal information remains a top priority for our company and, with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
After the Monday ruling, FTC Chairwoman Edith Ramirez praised the court’s decision. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.
To date, the FTC has brought data security cases against more than 50 companies, with most firms settling out of court and agreeing to strengthen protection protocols. When Wyndham challenged the FTC’s suit, the case became closely watched by legal observers seeking precedent on cybersecurity regulation. While proposals have been made, Congress has so far been unsuccessful in passing extensive data security rules, leaving the FTC an opening to target firms it views as violators.