Article Lead Image

The U.S. government can now sue companies that fail to protect your data

Time to beef up that security.


Eric Geller


Posted on Aug 24, 2015   Updated on May 28, 2021, 2:45 am CDT

The FTC has won a major legal battle that could allow to prosecute companies that fail to adequately protect user data.

The U.S. Court of Appeals for the Third Circuit ruled Monday in favor of the Federal Trade Commission in Wyndham v. FTC, a case that arose after the FTC sued Wyndham Hotels & Resorts for using weak security measures that made it a sitting duck for hackers.

Wyndham had challenged the agency’s authority to prosecute it for that security failure, but on Monday, all three judges on the appeals court’s panel decided that the FTC indeed had that authority. A Wyndham spokesman told Reuters that the company was reviewing the ruling and did not suggest how it would respond.

Unless Wyndham can secure a review of the decision by the U.S. Supreme Court, Monday’s ruling effectively solidifies the FTC’s ability to prosecute companies that don’t do enough to keep customer data out of the hands of hackers.

Marc Rotenberg, president and executive director of the Electronic Privacy Information Center (EPIC), praised the decision and told the Daily Dot in an email that the FTC played “a critical role in safeguarding consumer privacy in America.” He also pointed to a key passage in the ruling, in which the court wrote:

A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.

Although hackers have increasingly targeted government agencies rich with records, like the Office of Personnel Management (OPM) and the Department of Veterans Affairs, they also continue to go after major corporations with vast troves of private data.

Russian hackers penetrated Wyndham’s systems in three separate attacks in 2008 and 2009, stealing more than 600,000 credit-card numbers and racking up more than $10 million in fraudulent charges. The FTC sued the hotel chain for failing to live up to its data-privacy responsibilities.

In court, Wyndham argued that, if the FTC could sue companies for not using strong enough security measures, it could essentially “regulate the locks on hotel room doors.” But the court dismissed that rhetoric about overly broad enforcement powers as “alarmist to say the least.”

Julie Brill, a Democratic commissioner on FTC, tweeted about the ruling and called it “big news.”

Update 12:09pm CT, Aug. 24: Added comment from EPIC’s Marc Rotenberg.

H/T Reuters | Photo via Eric Fischer/Flickr (CC BY 2.0)

Share this article
*First Published: Aug 24, 2015, 1:53 pm CDT