FTC can sue companies hit with data breaches, court says
Agency secures major victory in legal battle with Wyndham Worldwide hotel operator
Computerworld - A federal court in New Jersey this week affirmed the Federal Trade Commission's contention that it can sue companies on charges related to data breaches, a major victory for the agency.
Judge Esther Salas of the U.S. District Court for the District Court of New Jersey ruled that the FTC can hold companies responsible for failing to use reasonable security practices.
Wyndham Worldwide Corp. had challenged a 2012 FTC lawsuit in connection with a data breach that exposed hundreds of thousands of credit and debit cards and resulted in more than $10.6 million in fraud losses.
The lawsuit accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was adequately protected after the hotel operator suffered three major data breaches in two years.
The lawsuit was similar to several other lawsuits filed by the agency in recent years against companies that suffered data breaches. In most cases, breached entities settled the cases with the FTC
Wyndham was one of the just two companies so far to challenge such FTC lawsuits. The other, LabMD, an Atlanta-based medical laboratory, claimed a similar FTC lawsuit forced it to close its doors.
In its lawsuit, Wyndham questioned whether the FTC has the authority to take enforcement action against breached entities.
Several trade groups and the U.S. Chamber of Commerce also question the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act. They accused the agency of trying to hold companies to security standards not included in FTC guidelines.
Wyndham and its supporters contend that Congress hasn't given the FTC the authority to regulate data security. Wyndham also challenged the FTC's claim it had deceived customers. The company asked the court to dismiss all of the FTCs claims against it.
Security and legal experts saw the case as a landmark test of the agency's authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this clause to force numerous settlements, or "consent decrees," from companies that suffered data breaches.
In her 46-page ruling Judge Salas rejected all of the Wyndham's claims and held that the FTC does have the authority to hold companies accountable for breaches resulting from their failure to apply proper security controls. The court held that the FTC does not need to issue any guidelines in order for it to hold companies accountable for breaches.
The ruling is a major victory for the FTC and could set the stage for more lawsuits, said Scott Vernick, a Fox Rothschild attorney who specializes in online privacy and rights issues.
"The main takeaway is that the FTC is here to stay," Vernick said. "If the decision holds the FTC will become more aggressive in enforcement action."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Cybercrime and Hacking in Computerworld's Cybercrime and Hacking Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.