FOR COMPANIES LIKE the dating site Ashley Madison or the health insurer Anthem, financial loss, customer anger and professional embarrassment aren’t the only consequences of getting massively gutted by hackers. Now a court has confirmed that there’s a three-letter agency that can dish out punishment, too.
In a decision published Monday, a U.S. appellate court ruled that the Federal Trade Commission has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600,000 customers’ data from its computer systems in 2008 and 2009, leading to more than $10 million in fraudulent charges. The ruling more widely cements the agency’s power to regulate and fine firms that lose consumer data to hackers, if the companies engaged in what the FTC deems “unfair” or “deceptive” business practices. At a time when ever-more-private data is constantly getting breached, the decision affirms the FTC’s role as a digital watchdog with actual teeth.
‘This Is a Major Deal’
The FTC originally sued Wyndham in 2012 over the lack of security that led to its massive hack. But before the case proceeded, Wyndham appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. The third circuit court’s new decision spells out that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop, sending Wyndham back to face the FTC’s lawsuit in a lower court.
For consumer privacy watchdogs, the ruling comes as a relief, solidifying another serious legal incentive for companies to invest in protecting their customers’ data, according to Electronic Privacy Information Center attorney Alan Butler. “This a huge victory for the FTC, but also for American consumers,” says Butler, who filed an amicus brief defending the FTC’s authority earlier in the case. “We see services and companies being hacked on an almost daily basis now. Having the FTC out there, bringing actions against companies that fail to protect consumers’ data is a critical tool.”
Wyndham Hotels, for its part, vowed to continue its case in the lower court. The company points out that the appellate court ruled on the FTC’s authority, not the specific allegations the agency made against Wyndham, namely that it had failed to adequately protect its customers. “We believe the facts will show the FTC’s allegations are unfounded,” reads a statement from Wyndham spokesperson Michael Valentino. “Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
Even if Wyndham does eventually lose its case against the FTC, it likely won’t be fined, says Berkeley Law professor Chris Hofnagle. Instead, it could face the kind of privacy probation that is a frequent outcome of the FTC’s privacy suits against firms, in which the agency closely oversees its data protection systems for a period as long as 20 years, with the option to later impose fines for any violation of the standards it imposes.
But aside from Wyndham itself, the appellate ruling establishes a more important precedent for the legal consequences of a data breach. “Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security,” says Hofnagle, describing that avoided outcome as a “disaster” for the agency. “This is a major deal.”
Data Insecurity As ‘Unfair’ Business Practice
The Court also rejected another argument from Wyndham that if the FTC were allowed to punish companies for this sort of data breach, it would be allowed to sue any supermarket that’s “sloppy about sweeping up banana peels,” opening the door to unfair practice claims run amok. On that point, the Court snapped back: “Were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”
The appellate ruling doesn’t necessarily grant the FTC new powers so much as dispel legal questions around the power it already possesses to be a data security watchdog, says Berkeley’s Hofnagle. As data breaches increasingly become a source of real suffering for consumers—see the reports of suicides that have already resulted from Ashley Madison’s scandalous data spill—the agency’s mandate more important than ever.
“The law has always imposed responsibility on companies for the care of their customers. When you’re in the restaurant you have to be protected against slips and falls or food-borne illness,” says Hofnagle. “Data is just something new that companies have to protect if they want to bear the benefits of collecting it.”