A federal appeals court upheld the Federal Trade Commission’s authority to enforce data security practices.
The U.S. Circuit Court of Appeals in Philadelphia ruled Monday that the FTC could go ahead in its lawsuit against Wyndham Worldwide Corp. for data breaches in 2008 and 2009 that compromised the financial information of hundreds of thousands of Wyndham customers.
Wyndham fought the FTC in court over the agency’s authority to regulate cybersecurity and argued that the FTC failed to spell out what specific cybersecurity practices constituted reasonable security measures. The hackers, not the business should be held responsible, Wyndham argued.
The three-judge panel sided with the FTC, affirming a lower court’s decision denying Wyndham’s motion to dismiss. The court also affirmed the district court’s findings that the FTC gave Wyndham fair notice about which data security practices would be deemed reasonable by the agency.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” said FTC chairwoman Edith Ramirez in a statement.
Wyndham is one of two companies that have recently challenged the FTC’s authority over data security practices. The other is LabMD.
The FTC has brought more than 50 data security cases over the years and recently pulled together all its case law into guidance for companies. Next month, the agency is holding the first of two educational conferences called Start with Security, in San Francisco and Austin in November, provide startups and developers with practical guidance on integrating data security practices into company operations.