federal appeals court has agreed to decide whether the Federal Trade Commission can bring charges against companies based on their alleged failure to protect consumers' data.
move comes in response to a petition filed by Wyndham Hotels, which is fighting an FTC lawsuit alleging that the hotel chain didn't use firewalls, encrypt credit card data or take other
“reasonable” security measures to protect consumers' financial information. The FTC sued Wyndham after the hotel chain suffered three data breaches between 2008 and 2010.
District Court Judge Esther Salas in New Jersey ruled earlier this year that the FTC could proceed with the case. Wyndham then asked the Third Circuit Court of Appeals to hear the case. The U.S.
Chamber of Commerce, American Hotel & Lodging Association and National Federation of Independent Business filed a friend-of-the-court brief backing that request.
FTC’s enforcement authority ... extends to regulation of data security is an issue of central importance to businesses that face the prospect of being investigated by the Commission,” the
groups argued. “That prospect becomes likelier every day given the increase in cyber-based attacks against businesses.”
Since 2011, the FTC has brought dozens of enforcement
actions charging companies with violating consumers' privacy or mishandling their data. Most of the companies that faced charges relating to privacy or data security settled with the FTC. In one
recent example, last December the FTC brought charges against the developer of the Brightest Flashlight app, which allegedly transmitted consumers' geolocation data and unique device identifiers to ad
The FTC didn't oppose Wyndham's request for appellate review. The agency said in court papers that a “prompt decision” upholding its right to bring data-security cases
“would advance the public interest by removing the uncertainty that Wyndham is attempting to generate regarding the Commission’s statutory authority to protect consumers from
unreasonable and harmful data-security lapses.”
Earlier in the proceedings, Wyndham urged Salas to rule that the FTC lacks authority to charge companies with using poor data-security
practices. The hotel chain also argued that the FTC should have issued guidance on data security before bringing suit.
Salas rejected those arguments, ruling that the FTC is authorized to
charge unfairness, regardless of whether the agency previously promulgated cybersecurity regulations.