Court Upholds FTC’s Power to Sue Hacked Companies

A federal court rejects a bid from Wyndham Hotels to undercut federal authority over data security.

Wyndham hotel in Pittsburgh, Pa.
National Journal
Brendan Sasso
April 7, 2014, 12:56 p.m.

The Fed­er­al Trade Com­mis­sion has the power to sue com­pan­ies that fail to pro­tect their cus­tom­ers’ data, a fed­er­al court in New Jer­sey said Monday.

The rul­ing shoots down a chal­lenge from Wyndham Ho­tels, which ar­gued that the FTC over­stepped its au­thor­ity with a 2012 law­suit against the glob­al hotel chain.

The de­cision by U.S. Dis­trict Court Judge Es­th­er Salas is a ma­jor win for the agency. If the court had sided with Wyndham, it would have stripped the fed­er­al gov­ern­ment of over­sight of data se­cur­ity prac­tices just as hack­ers be­gin to pull off more and more high-pro­file at­tacks.

Salas said her de­cision “does not give the FTC a blank check to sus­tain a law­suit against every busi­ness that has been hacked,” but that she must fol­low the “bind­ing and per­suas­ive pre­ced­ent” to up­hold the agency’s au­thor­ity.

The FTC is cur­rently in­vest­ig­at­ing Tar­get over the massive hack last year that ex­posed in­form­a­tion on 40 mil­lion cred­it cards. Tar­get could have pre­ven­ted the at­tack with bet­ter se­cur­ity prac­tices, ac­cord­ing to a re­cent re­port from the Sen­ate Com­merce Com­mit­tee.

The FTC has sued dozens of com­pan­ies in re­cent years for fail­ing to take reas­on­able steps to pro­tect cus­tom­er data. The agency says it has the au­thor­ity to po­lice data se­cur­ity prac­tices be­cause Con­gress gave it power over “un­fair” busi­ness prac­tices.

The FTC sued Wyndham in 2012, main­tain­ing that the hotel chain didn’t use ba­sic se­cur­ity meas­ures such as fire­walls, com­plex pass­words, or sep­ar­at­ing net­works in dif­fer­ent loc­a­tions. As a res­ult, hack­ers were able to pen­et­rate a com­puter net­work in a Wyndham hotel in Phoenix and ul­ti­mately make off with in­form­a­tion on 500,000 cred­it cards, the FTC charged.

Wyndham asked the fed­er­al court to throw out the suit, ar­guing that in­ad­equate data se­cur­ity prac­tices aren’t “un­fair” un­der the leg­al defin­i­tion. The com­pany also claimed the FTC should have pub­lished clear rules on data se­cur­ity be­fore fil­ing suit.

But Judge Salas said she wouldn’t “carve out a data-se­cur­ity ex­cep­tion” to the FTC’s power over un­fair prac­tices. She also con­cluded that the agency isn’t re­quired to spell-out spe­cif­ic data se­cur­ity rules. 

Al­though the court dis­missed Wyndham’s at­tempt to block the suit, the FTC will still have to prove the charges.  

FTC Chair­wo­man Edith Ramirez said she’s “pleased” with the de­cision and looks for­ward to try­ing the case against Wyndham. 

“Com­pan­ies should take reas­on­able steps to se­cure sens­it­ive con­sumer in­form­a­tion,” she said. “When they do not, it is not only ap­pro­pri­ate but crit­ic­al that the FTC take ac­tion on be­half of con­sumers.”

Mi­chael Valentino, a Wyndham spokes­man, noted that the de­cision is lim­ited to the FTC’s power and does not ad­dress wheth­er Wyndham broke the law.   “We con­tin­ue to be­lieve the FTC lacks the au­thor­ity to pur­sue this type of case against Amer­ic­an busi­nesses, and has failed to pub­lish any reg­u­la­tions that would give such busi­nesses fair no­tice of any pro­posed stand­ards for data se­cur­ity,” he said. “We in­tend to de­fend our po­s­i­tion vig­or­ously.”  

Mi­chael Valentino, a Wyndham spokes­man, noted that the de­cision is lim­ited to the FTC’s power and does not ad­dress wheth­er Wyndham broke the law.

“We con­tin­ue to be­lieve the FTC lacks the au­thor­ity to pur­sue this type of case against Amer­ic­an busi­nesses, and has failed to pub­lish any reg­u­la­tions that would give such busi­nesses fair no­tice of any pro­posed stand­ards for data se­cur­ity,” he said. “We in­tend to de­fend our po­s­i­tion vig­or­ously.” 

Al­though the FTC can or­der com­pan­ies to change their busi­ness prac­tices, the agency has no fin­ing au­thor­ity. Demo­crats are push­ing sev­er­al bills in Con­gress that would ex­pand the FTC’s au­thor­ity over data se­cur­ity, in­clud­ing give the agency the power to fine com­pan­ies for non­com­pli­ance.

What We're Following See More »
STAFF PICKS
What the Current Crop of Candidates Could Learn from JFK
1 days ago
WHY WE CARE

Much has been made of David Brooks’s recent New York Times column, in which confesses to missing already the civility and humanity of Barack Obama, compared to who might take his place. In NewYorker.com, Jeffrey Frank reminds us how critical such attributes are to foreign policy. “It’s hard to imagine Kennedy so casually referring to the leader of Russia as a gangster or a thug. For that matter, it’s hard to imagine any president comparing the Russian leader to Hitler [as] Hillary Clinton did at a private fund-raiser. … Kennedy, who always worried that miscalculation could lead to war, paid close attention to the language of diplomacy.”

Source:
STAFF PICKS
Maher Weighs in on Bernie, Trump and Palin
1 days ago
WHY WE CARE

“We haven’t seen a true leftist since FDR, so many millions are coming out of the woodwork to vote for Bernie Sanders; he is the Occupy movement now come to life in the political arena.” So says Bill Maher in his Hollywood Reporter cover story (more a stream-of-consciousness riff than an essay, actually). Conservative states may never vote for a socialist in the general election, but “this stuff has never been on the table, and these voters have never been activated.” Maher saves most of his bile for Donald Trump and Sarah Palin, writing that by nominating Palin as vice president “John McCain is the one who opened the Book of the Dead and let the monsters out.” And Trump is picking up where Palin left off.

Source:
×