Breached US firms could face even more legal headaches after a court ruled that the Federal Trade Commission has the power to regulate cybersecurity.
Reuters reports that the 3rd US Circuit Court of Appeals decided on Monday that the FTC could pursue its lawsuit against Wyndham Worldwide Corporation on the of grounds a 1914 law that grants the FTC power to safeguard consumers from “unfair or deceptive acts or practices in or affecting commerce.”
Wyndham, a hotel operator that owns high-profile brands including Days Inn and Travelodge, suffered three breaches in 2008 and 2009, in which hackers accessed and made off with personal and financial data on the company’ customers. The resultant fraudulent activity racked up a bill of $10.6m.
The FTC filed suit in a federal court on the grounds that Wyndham’s privacy policy and cybersecurity represented unfair or misleading trading practices, misrepresenting the measures taken to protect data.
The court of appeals upheld the district court’s decision on the grounds that Wyndham failed to identify how its actions could not be classed as “unfair” as per the FTC’s mandate. It also failed in its attempts to convince the court that it lacked “fair notice” of the FTC’s requirements.
Read the 3rd US Circuit Court of Appeals’ report here.
In response to the ruling, Pat Clawson, CEO of the Blancco Technology Group said that: “It’s pretty significant that the FTC is exerting more of its power in matters related to data breaches. There’s no doubt it’s a positive thing for consumers whose data is collected, stored and tracked by companies. They can rest assured that businesses will be held accountable for the data they collect and store on them.”
Jason du Preez, CEO of privacy technology firm Privitar, added that companies need to advance their data management and embrace privacy by default. “This decision is further support for the notion that companies need to take the way they manage and process sensitive data more seriously. While the opportunities presented by big data analytics can be of enormous value… the legal and ethical implications need to be understood and respected,” he remarked. "By ensuring only essential data is visible in any given process, organizations can extract essential value from data while complying to the strictest standards for data protection.”