• by Wendy Davis  @wendyndavis, August 24, 2015

In a defeat for Wyndham Hotels, a federal appellate court ruled on Monday that the Federal Trade Commission can proceed with a lawsuit accusing the hotel chain of engaging in "unfair" cybersecurity practices.

The ruling, issued by a three-judge panel of the 3rd Circuit Court of Appeals, means that Wyndham will have to face an enforcement action stemming from three separate security breaches that occurred between 2008 and 2010.

The FTC alleged that Wyndham's failure to use reasonable security measures constituted an unfair practice. Among other security deficiencies, the hotel chain allegedly stored credit card information in clear readable text, used "easily guessed" passwords and failed to use firewalls.

Wyndham argued that it was a crime victim, and therefore shouldn't be charged with doing anything “unfair” to customers.

The appellate judges rejected that position, writing: "[Wyndham] offers no reasoning or authority for this principle, and we can think of none ourselves."

The panel also rejected Wyndham's argument that the FTC's lawsuit marked an improper attempt to impose security requirements retroactively.

"Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cybersecurity practices are required," the panel wrote. "Instead, the relevant question in this appeal is whether Wyndham had fair notice that its conduct could fall within the meaning of the statute."

The decision makes clear that the FTC has broad authority to regulate privacy, even in the absence of specific data-protection guidelines, according to Gregory Boyd, a partner with the law firm Frankfurt Kurnit Klein & Selz.

Boyd added that the decision makes sense from a policy viewpoint. "Given the pace of technological progress and the ever fluctuating state of the cryptography and counter-cryptography front line, a fluid standard is the best possible descriptor," Boyd says in an email to MediaPost.

At the same time, the opinion leaves open at least one question -- whether the FTC can charge a company with engaging in unfair security practices if it doesn't have a privacy policy, says University of Nebraska Assistant Professor of Law Gus Hurwitz.

That's because the appellate judges tied the concept of unfairness to the allegation that Wyndham violated its privacy policy. "A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business," the appeals court wrote.

Santa Clara University law professor Eric Goldman points out that this opinion marks the second time this summer that a federal appellate court has ruled against a company that suffered a data breach.

The 7th Circuit Court of Appeals ruled in July that consumers could proceed with a class-action privacy lawsuit against Neiman Marcus, which suffered a data breach in 2014. The appellate court ruled that consumers who shopped at the store could proceed based on their risk of future injury, even if no fraudulent charges had yet been placed on their credit cards.

Goldman says that the two appellate opinions, coming just one month apart, could reflect that federal judges "are fed up about data security breaches."