A New (Old) Sheriff: The FTC’s Authority on Cybersecurity Affirmed

chainsBy Julie Liu

As we know well from news coverage of hacks and leaked information, consumers and employees take a gamble whenever they give their personal information to a company. Consciously or not, these individuals count on the company’s technological savvy in combination with its data security policies to keep the information safe. While this status has not changed much since businesses first became digitized, regulations are gradually catching up. For the Federal Trade Commission (FTC), cybersecurity has been a top priority in recent years, and it will likely tighten its grip on businesses with inadequate security measures.

Late last month, the U.S. Court of Appeals for the Third Circuit issued its long-awaited ruling in FTC v. Wyndham Worldwide Corporation, a case which reevaluated the FTC’s authority to regulate cybersecurity. Litigation began in 2012 when the FTC sued Wyndham Worldwide, a hotel chain company, for unfair business practices. The FTC alleged that Wyndham’s inadequate data security led to three data breaches at Wyndham hotels in two years. According to the complaint, these breaches compromised more than 619,000 payment card accounts and caused over $10.6 million in fraud loss. Wyndham responded with a motion to dismiss the complaint, arguing that the FTC did not have the authority to bring the suit in the first place. The district court denied the motion last year, and the Third Circuit has now affirmed this order on interlocutory appeal.

Continue reading