Appeals court upholds FTC's authority to enforce data security standards

Photo (c) Wyndham Hotels

The case involved three Wyndham Hotel security breaches that exposed consumer information

When corporation databases are breached by hackers who steal consumers' private information, the company response often amounts to little more than "Sorry about that."

But that could change now that a federal appeals court has upheld the Federal Trade Commission's authority to enforce data security standards. The case involved a data breach affecting customers of Wyndham Hotels.

In June 2012, the FTC sued Wyndham, saying it had misrepresented the security measures it took to protect customers and charging that alleged data security failures led to three data breaches at Wyndham hotels in less than two years.

The FTC alleged that the failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

The court disagreed

Wyndham argued that the FTC lacked the authority to enforce security standards, but the Eighth U.S. Circuit Court of Appeal disagreed. 

"A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business," the court held.

FTC Chairwoman Edith Ramirez said the decision "reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data."

"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.

The Electronic Privacy Information Center (EPIC) filed an amicus brief in the case, joined by leading technical experts and legal scholars, defending the FTC's "critical role in safeguarding consumer privacy and promoting stronger security standards."

EPIC explained that data breaches, which have caused more than $500 million in damages last year alone, are one of the top concerns of American consumers.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.