Skip to main content

Court Upholds FTC Authority Over Hack

A federal court has said the FTC had the ability to regulate cybersecurity under its unfairness authority when it filed suit against hotel  company Wyndham and that Wyndham was not entitled to know the exact cybersecurity standards it would be held to.

"Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.   

Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself," the court said, a theory  it  did  not  meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case."

That came in a decision of a three-judge panel of the U.S. Court of Appeals for the Third Circuit Monday upholding a lower court decision not to dismiss the FTC suit, as Wyndham had asked.

Wyndham and its customers were the victims of three hacks that resulted in stolen personal and financial info that led to over $10 million in fraudulent charges. The FTC filed suit alleging that Wyndham's conduct was an unfair practice and its privacy policy deceptive. Wyndham petitioned the court to dismiss, which it declined to do. Wyndham appealed to the Third Circuit, which in the process of upholding the lower court, signaled that a porous cybersecurity defense could be unfair and a privacy policy that did not deliver that privacy could reasonably be considered deceptive.

The hackers got encrypted information from over 500,000 accounts which were sent to a domain name in Russia.

The court had some fun with Wyndham's argument that if the FCC's unfairness authority extends to conduct (insufficiently protecting information), it has the ability to sue supermarkets that are "sloppy about sweeping up banana peels."

"The argument is alarmist to say the least," said the court, "and it invites the "tart  retort  that,  were  Wyndham  a  supermarket,  leaving   so many banana  peels all  over the place that 619,000 customers fall hardly suggests it  should be immune from liability..."

Wyndham spokespeople were not immediately available for comment, but they could appeal the decision to the full court.

“While we are disappointed by the opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Wyndham said in a statement.

"It is important to note that today’s opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded. Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”