The FTC has been granted legal rights to sue companies for failing cybersecurity practices when protecting their customer data, according to a ruling by the Third US Circuit Court of Appeals.
The decision followed a legal complaint from the FTC against Wyndham Hotels, a company that experienced three security incidents in two years, resulting in the loss of hundreds of thousands of payment card accounts. Wyndham Hotels refused to settle, although the FTC had agreed on settlements in other such lawsuits.
“Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia,” reads the FTC press release. “Even after faulty security led to one breach, the FTC charged, Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures.”
The ruling empowers the FTC, traditionally seen as a government body acting for consumers, to hold companies accountable for a lack of adequate cybersecurity defenses for customer data. The unanimous decision of the Appeals Court strengthens the FTC position as the proper government body for overseeing cybersecurity practices by US companies, if it has sufficient reason to believe the law has been violated.
“Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” stated the FTC. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The court’s decision comes as no surprise, as the three security breaches experienced by Wyndham Hotels were the direct result of failing to prevent the same type of attack, each time.