Yes, federal regulators can go after firms whose lax security policies result in big hacks and a loss of personal data, a federal appeals court ruled Monday.
That the government should be able to punish businesses that don't protect your private information (despite telling you they do) seems like a no-brainer. But in Washington, there's been a big debate over just how far the Federal Trade Commission can go in protecting consumers from hackers.
Monday's decision from the Third Circuit Court of Appeals clarifies the FTC's powers, giving it more ammunition against businesses that fail to invest in their own security. And that could be good news for consumers in light of the growing pace of online attacks against firms such as Ashley Madison, the extramarital dating site that last week got breached and exposed at least 30 million customer records.
The court's decision finds that the FTC acted appropriately when it sued Wyndham Worldwide Corporation, a massive international hotel chain and hospitality conglomerate, after Wyndham was hacked three times in two years, exposing the credit card data of more than 600,000 customers.
"While we are disappointed by today’s opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses," Wyndham said in a statement. "Safeguarding personal information remains a top priority for our company."
The FTC alleged that, despite telling customers the contrary, Wyndham did virtually nothing to secure its systems. It did not use encryption, firewalls or other basic security measures such as requiring employees to use strong passwords. Wyndham's actions were "unfair" and "deceptive" toward consumers who were led to believe they were getting an adequate level of security, according to the FTC.
Wyndham responded by arguing that the FTC had stepped beyond its congressionally given authority in trying to prosecute the company after a data breach. But the court disagreed.
Wyndham argued in court documents that if the court upheld the FTC's powers in this case, it could open the door to onerous oversight of the private sector, such as the agency forcing businesses to post armed guards. The company said such a ruling would allow the FTC to sue supermarkets that are "sloppy about sweeping up banana peels."
The court scoffed at this argument, calling it "alarmist."
"It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability," it added.
The FTC has aggressively pursued data security cases in recent years, though much of the time it settles with the companies it investigates. The Wyndham case is a notable exception and is expected to become even more relevant as hacking and data breaches become mainstream occurrences. With the appellate court ruling in the FTC's favor, the agency could become emboldened to act even more decisively against businesses it believes are being deceptive about its security practices.
"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," said FTC Chairwoman Edith Ramirez in a statement.