The FTC May Have the Ability to Prosecute for Lax Cybersecurity
After a seemingly endless parade of corporate security incidents in the past few months, the average American consumer may finally have the federal government in his or her corner.
According to a recent 3-0 ruling by The Third Circuit Court of Appeals in Philadelphia, the Federal Trade Commission (FTC) has the right to further pursue its case against hotel operator Wyndham Worldwide Corporation on behalf of more than 600,000 hotel patrons.
The case itself arose from three separate breaches in 2008 and 2009, when hackers were able to break into Wyndham’s servers and make out with credit card numbers and personally identifiable information to rack up over $10.6 million in fraudulent charges.
The FTC’s authority in all of this stems from a broad 1914 law intended to protect consumers from deceptive and unfair trade practices, and in this case, protect against corporate negligence in the digital space. In the decision, Circuit Judge Thomas Ambro said Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.’” FTC Chairwoman Edith Ramirez seemed to agree with the decision, saying that “the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
Alleging that Wyndham’s systems unreasonably and unnecessarily exposed customer data to the risk of theft, the FTC started the process to bring allegations against the hotel management company in June 2012. Since then, Wyndham has tried and failed to have the case dismissed, claiming the FTC’s ruling to be alarmist and that the company was not given enough notice as to what the agency could reasonably require in terms of security standards.
As Wyndham’s portfolio includes popular hotels the likes of Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge, the implications of this decision may cause Wyndham a lot of pain in the future. This precedent is interesting because it allows for businesses with lax security practices to be held accountable for the omissions in due diligence after a security breach. In the past few months, Congress has been working toward a federally-mandated breach notification law, but little has actually been done to hold corporations culpable for their security failings. A case like this might be just what companies need to start caring about the security of their customers’ private data.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about how privacy programs and the importance of being prepared for a breach.
Learn about the constant vigilance of continuous security monitoring.