A federal appeals court on Monday ruled the Federal Trade Commission has the authority to bring enforcement actions against companies that fail to take adequate precautions to prevent a cybersecurity breach.
Hackers infiltrated the hotel chain’s networks three times between 2008 and 2010, stealing the credit and debit card information of more than 600,000 patrons.
The case has been closely watched as a barometer of the FTC’s authority to regulate companies’ data security practices.
In his State of the Union address in January, President Obama suggested broadening the FTC’s authority to allow it to set cybersecurity standards that companies would be required to meet.
Absent congressional regulation, the agency has brought more than 50 data security cases, most of which have resulted in settlement.
Wyndham, one of only a few firms to challenge an agency suit, characterized the FTC’s action as governmental overreach. The company also claims that it is being punished unfairly for being a victim of hackers.
Critics have condemned the agency for taking enforcement action when, they say, it has no set cybersecurity standards.
The policy, posted on the hotel chain’s Web site, says that it takes “commercially reasonable efforts to create and maintain ‘fire walls’ and other appropriate safeguards,” including encryption.
The regulatory agency claims that, contrary to its policy, Wyndham neither encrypted data nor used firewalls.
The agency also accuses the hotel chain of using easy-to-guess passwords and storing credit card information in clear, readable text.
These practices, the FTC claims, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”