The Federal Trade Commission Act provides the FTC with the authority to enforce unfair or deceptive practices, and seek relief for ‘conduct injurious to consumers.’ This has been going on for quite some time, and while controversial in some circles, it has gone largely unchallenged. Recently, however, the FTC has begun to test their authority when it comes to policing cyber security cases, and it seems they will have that authority as well, at least for now.
The FTC has been functioning as the nation’s largest enforcement agency in cyber security practices. Many companies who have been targeted by the FTC have attempted to fight back, but according to a recent court ruling, it seems the FTC has been given this enforcement authority.
The case, FTC v. Wyndham Worldwide Corp., was held in the US district court for the district of New Jersey, and in it, it was determined that the FTC has the authority to police cyber security. Wyndham is a hotel chain, which also sells timeshares. The legal case came up when the FTC asserted that three breaches of the Wyndham data management system resulted in “the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of these account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud losses.”
The FTC brought action against Wyndham to seek relief and attempt to prevent further violations of the FTC act, and to redress consumers’ injuries resulting from the breaches. According to the FTC, Wyndham’s failure to protect the data was a failure to act reasonably and appropriately in regard to the personal data which they had collected.
Wyndham’s request to have this case dismissed because the FTC lacks the authority to regulate Cyber security (among other reasons) was not accepted. This essentially confirms that the FTC does indeed have this authority. While the case could be sent to higher courts in the future, this is a major victory for the FTC. This will also likely result in the FTC taking bolder action against companies that get hacked in the future.