FTC can sue companies hit with data breaches, court says
Agency secures major victory in legal battle with Wyndham Worldwide hotel operator
Computerworld - A federal court in New Jersey this week affirmed the Federal Trade Commission's contention that it can sue companies on charges related to data breaches, a major victory for the agency.
Judge Esther Salas of the U.S. District Court for the District Court of New Jersey ruled that the FTC can hold companies responsible for failing to use reasonable security practices.
Wyndham Worldwide Corp. had challenged a 2012 FTC lawsuit in connection with a data breach that exposed hundreds of thousands of credit and debit cards and resulted in more than $10.6 million in fraud losses.
The lawsuit accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was adequately protected after the hotel operator suffered three major data breaches in two years.
The lawsuit was similar to several other lawsuits filed by the agency in recent years against companies that suffered data breaches. In most cases, breached entities settled the cases with the FTC
Wyndham was one of the just two companies so far to challenge such FTC lawsuits. The other, LabMD, an Atlanta-based medical laboratory, claimed a similar FTC lawsuit forced it to close its doors.
In its lawsuit, Wyndham questioned whether the FTC has the authority to take enforcement action against breached entities.
Several trade groups and the U.S. Chamber of Commerce also question the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act. They accused the agency of trying to hold companies to security standards not included in FTC guidelines.
Wyndham and its supporters contend that Congress hasn't given the FTC the authority to regulate data security. Wyndham also challenged the FTC's claim it had deceived customers. The company asked the court to dismiss all of the FTCs claims against it.
Security and legal experts saw the case as a landmark test of the agency's authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this clause to force numerous settlements, or "consent decrees," from companies that suffered data breaches.
In her 46-page ruling Judge Salas rejected all of the Wyndham's claims and held that the FTC does have the authority to hold companies accountable for breaches resulting from their failure to apply proper security controls. The court held that the FTC does not need to issue any guidelines in order for it to hold companies accountable for breaches.
The ruling is a major victory for the FTC and could set the stage for more lawsuits, said Scott Vernick, a Fox Rothschild attorney who specializes in online privacy and rights issues.
"The main takeaway is that the FTC is here to stay," Vernick said. "If the decision holds the FTC will become more aggressive in enforcement action."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- UPS now the third company in a week to disclose data breach
- Healthcare organizations still too lax on security
- Why would Chinese hackers want US hospital patient data?
- About 4.5M face risk of ID theft after hospital network hacked
- Supervalu breach shows why move to smartcards is long overdue
- Grocery stores in multiple states hit by data breach
- Update: Payment cards with chips aren't perfect, so encrypt everything, experts say
- U.S. agencies halt background checks by contractor after cyberattack
- Five unanswered questions about massive Russian hacker database
- Massive Russian hack has researchers scratching their heads
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- The Evolution of Corporate Cyberthreats Cybercriminals are creating and deploying new threats every day that are more destructive than ever before. While you may have more people devoted...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Cybercrime and Hacking White Papers | Webcasts