Court Upholds FTC’s Power to Sue Hacked Companies

A federal court rejects a bid from Wyndham Hotels to undercut federal authority over data security.

Wyndham hotel in Pittsburgh, Pa.
National Journal
Brendan Sasso
Add to Briefcase
See more stories about...
Brendan Sasso
April 7, 2014, 12:56 p.m.

The Fed­er­al Trade Com­mis­sion has the power to sue com­pan­ies that fail to pro­tect their cus­tom­ers’ data, a fed­er­al court in New Jer­sey said Monday.

The rul­ing shoots down a chal­lenge from Wyndham Ho­tels, which ar­gued that the FTC over­stepped its au­thor­ity with a 2012 law­suit against the glob­al hotel chain.

The de­cision by U.S. Dis­trict Court Judge Es­th­er Salas is a ma­jor win for the agency. If the court had sided with Wyndham, it would have stripped the fed­er­al gov­ern­ment of over­sight of data se­cur­ity prac­tices just as hack­ers be­gin to pull off more and more high-pro­file at­tacks.

Salas said her de­cision “does not give the FTC a blank check to sus­tain a law­suit against every busi­ness that has been hacked,” but that she must fol­low the “bind­ing and per­suas­ive pre­ced­ent” to up­hold the agency’s au­thor­ity.

The FTC is cur­rently in­vest­ig­at­ing Tar­get over the massive hack last year that ex­posed in­form­a­tion on 40 mil­lion cred­it cards. Tar­get could have pre­ven­ted the at­tack with bet­ter se­cur­ity prac­tices, ac­cord­ing to a re­cent re­port from the Sen­ate Com­merce Com­mit­tee.

The FTC has sued dozens of com­pan­ies in re­cent years for fail­ing to take reas­on­able steps to pro­tect cus­tom­er data. The agency says it has the au­thor­ity to po­lice data se­cur­ity prac­tices be­cause Con­gress gave it power over “un­fair” busi­ness prac­tices.

The FTC sued Wyndham in 2012, main­tain­ing that the hotel chain didn’t use ba­sic se­cur­ity meas­ures such as fire­walls, com­plex pass­words, or sep­ar­at­ing net­works in dif­fer­ent loc­a­tions. As a res­ult, hack­ers were able to pen­et­rate a com­puter net­work in a Wyndham hotel in Phoenix and ul­ti­mately make off with in­form­a­tion on 500,000 cred­it cards, the FTC charged.

Wyndham asked the fed­er­al court to throw out the suit, ar­guing that in­ad­equate data se­cur­ity prac­tices aren’t “un­fair” un­der the leg­al defin­i­tion. The com­pany also claimed the FTC should have pub­lished clear rules on data se­cur­ity be­fore fil­ing suit.

But Judge Salas said she wouldn’t “carve out a data-se­cur­ity ex­cep­tion” to the FTC’s power over un­fair prac­tices. She also con­cluded that the agency isn’t re­quired to spell-out spe­cif­ic data se­cur­ity rules. 

Al­though the court dis­missed Wyndham’s at­tempt to block the suit, the FTC will still have to prove the charges.  

FTC Chair­wo­man Edith Ramirez said she’s “pleased” with the de­cision and looks for­ward to try­ing the case against Wyndham. 

“Com­pan­ies should take reas­on­able steps to se­cure sens­it­ive con­sumer in­form­a­tion,” she said. “When they do not, it is not only ap­pro­pri­ate but crit­ic­al that the FTC take ac­tion on be­half of con­sumers.”

Mi­chael Valentino, a Wyndham spokes­man, noted that the de­cision is lim­ited to the FTC’s power and does not ad­dress wheth­er Wyndham broke the law.   “We con­tin­ue to be­lieve the FTC lacks the au­thor­ity to pur­sue this type of case against Amer­ic­an busi­nesses, and has failed to pub­lish any reg­u­la­tions that would give such busi­nesses fair no­tice of any pro­posed stand­ards for data se­cur­ity,” he said. “We in­tend to de­fend our po­s­i­tion vig­or­ously.”  

Mi­chael Valentino, a Wyndham spokes­man, noted that the de­cision is lim­ited to the FTC’s power and does not ad­dress wheth­er Wyndham broke the law.

“We con­tin­ue to be­lieve the FTC lacks the au­thor­ity to pur­sue this type of case against Amer­ic­an busi­nesses, and has failed to pub­lish any reg­u­la­tions that would give such busi­nesses fair no­tice of any pro­posed stand­ards for data se­cur­ity,” he said. “We in­tend to de­fend our po­s­i­tion vig­or­ously.” 

Al­though the FTC can or­der com­pan­ies to change their busi­ness prac­tices, the agency has no fin­ing au­thor­ity. Demo­crats are push­ing sev­er­al bills in Con­gress that would ex­pand the FTC’s au­thor­ity over data se­cur­ity, in­clud­ing give the agency the power to fine com­pan­ies for non­com­pli­ance.

What We're Following See More »
SANS PROOF
NRA Chief: Leftist Protesters Are Paid
2 days ago
UPDATE
NEW TRAVEL BAN COMING SOON
Trump Still on Campaign Rhetoric
2 days ago
UPDATE
“WE’RE CHANGING IT”
Trump Rails On Obamacare
2 days ago
UPDATE

After spending a few minutes re-litigating the Democratic primary, Donald Trump turned his focus to Obamacare. “I inherited a mess, believe me. We also inherited a failed healthcare law that threatens our medical system with absolute and total catastrophe” he said. “I’ve been watching and nobody says it, but Obamacare doesn’t work.” He finished, "so we're going to repeal and replace Obamacare."

FAKE NEWS
Trump Goes After The Media
2 days ago
UPDATE

Donald Trump lobbed his first attack at the “dishonest media” about a minute into his speech, saying that the media would not appropriately cover the standing ovation that he received. “We are fighting the fake news,” he said, before doubling down on his previous claim that the press is “the enemy of the people." However, he made a distinction, saying that he doesn't think all media is the enemy, just the "fake news."

FBI TURNED DOWN REQUEST
Report: Trump Asked FBI to Deny Russia Stories
2 days ago
THE LATEST

"The FBI rejected a recent White House request to publicly knock down media reports about communications between Donald Trump's associates and Russians known to US intelligence during the 2016 presidential campaign, multiple US officials briefed on the matter tell CNN. But a White House official said late Thursday that the request was only made after the FBI indicated to the White House it did not believe the reporting to be accurate."

Source:
×
×

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.

Login