In a case determining the scope of the Federal Trade Commission’s (FTC) ability to govern data security, the 3rd U.S. Circuit Court of Appeals in Philadelphia upheld a 2014 ruling allowing the FTC to pursue a lawsuit against Wyndham Worldwide Corp. for failing to protect customer information after three data breaches that occurred in 2008 and 2009. The theft of credit card and personal details from over 600,000 consumers resulted in $10.6 million in fraudulent charges and the transfer of consumer account information to a website registered in Russia.
The appellate court’s decision is of importance because it declares the FTC has the authority to regulate cybersecurity under the unfairness doctrine within §45 of the FTC Act. This doctrine allows the FTC to declare a business practice unfair if it is oppressive or harmful to consumers even though the practice is not an antitrust violation. Under this decision, the FTC has the authority to level civil penalties against companies convicted of engaging in unfair practices.
What exactly did Wyndham do to possibly merit the claim of unfair practices?
According to the FTC’s original complaint, the company:
- allowed for the storing of payment card information in clear readable text;
- allowed for the use of easily guessed password to access property management systems;
- failed to use commonly available security measures, like firewalls, to limit access between hotel property management systems, corporate networks and the internet; and
- failed to adequately restrict and measure unauthorized access to its network.
Wyndham requested the suit be dismissed arguing the FTC did not have the authority to regulate cybersecurity. The appellate court found otherwise, however, stating that Wyndham failed to show that its alleged conduct fell outside the plain meaning of unfair.