In a much-anticipated precedential opinion, the Third Circuit U.S. Court of Appeals on Aug. 24 held that the Federal Trade Commission can enforce the data security standards of commercial entities. The FTC sued Wyndham hotels for failing to maintain reasonable and appropriate security measures, allowing hackers to access the information of more than 619,000 customers.
Wyndham challenged the FTC’s data security authority under the unfairness prong of Section 5 of the FTC Act. The company argued that Congress adopted a less extensive regulatory scheme and that the FTC has disclaimed authority to regulate data security practices, similar to the FDA’s disclaimers over tobacco regulation in FDA v. Brown & Williamson Tobacco Corp.
In its unanimous opinion, the Circuit Court held that Wyndham’s alleged cybersecurity practices fit the definition of “unfair” when compared with its stated security policies. It also affirmed the District Court’s finding that the FTC provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices that the agency deems reasonable to avoid liability under the FTC Act.
The FTC alleged that Wyndham engaged in a number of practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft, including failing to use firewalls, storing credit card information in clear text, not implementing security measures when connecting local and corporate-level networks, not requiring employees to use complex user IDs and passwords; failing to inventory computers and failing to conduct security investigations.
Related events from HB