A court has sided with the Federal Trade Commission's (FTC) attempt to punish companies for poor security standards that lead to data breaches.
Judge Esther Salas of the U.S. District Court for the District of New Jersey refused to dismiss the agency’s lawsuit against the Wyndham Worldwide hotel and resort chain for getting hacked. The FTC claims that the company’s promise to protect users’ data was “unfair and deceptive.”
The ruling takes a major step toward settling the thorny issue of whether the FTC can go after companies where data was stolen, but will likely not provide the final answer to the question.
The company, she noted, did not require users to have complex identification tags or passwords, among other simple security steps.
FTC Chairwoman Edith Ramirez said she was “pleased” with the court’s reaction.
“Companies should take reasonable steps to secure sensitive consumer information,” she said in a statement. “When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”
A spokesman with the hotel company said it was undeterred and would “vigorously” defend its case.
“It is important to note that the court made no decision on liability today,” Michael Valentino said.
“We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security.”
The FTC sued the company in 2012 after hackers stole hundreds of thousands of credit and debit card numbers and made more than $10 million in fraudulent charges.
Wyndham has fought back. The FTC, it claimed, does not have the legal authority to regulate how companies protect users’ data, forcing a showdown on the issue.
The case, Salas admitted in her ruling, is in “unchartered territory.”
Wyndham Worldwide has compared its case to a Supreme Court decision that prevented the Food and Drug Administration (FDA) from regulating tobacco, because the law did not specifically authorize its authority in the area.
Unlike that case, however, Salas said it was not clear that Congress specifically meant to exclude data security from the FTC’s purview. The case was also different because no other “regulatory scheme” had been written for data privacy like tobacco, she said.
Wyndham, she wrote, “fails to explain how the FTC’s unfairness authority over data security would lead to a result that is incompatible with more recent legislation and thus would ‘plainly contradict congressional policy.’ ”
Instead, any laws that include data security provisions seem “to complement—not preclude—the FTC’s authority. ... Thus, unlike the FDA’s regulation over tobacco, the FTC’s unfairness authority over data security can coexist with the existing data-security regulatory scheme.”
Wyndham has also claimed that the FTC needs to issue rules and regulations outlining when a company is open to action for lax data security.
Salas retorted that she is “unpersuaded that regulations are the only means of providing sufficient fair notice.”
The FTC has brought dozens of data privacy cases over the years, but lingering questions about its authority have troubled privacy advocates and businesses alike.
Wyndham’s is not the only case challenging the FTC’s authority in the area.
Medical testing company LabMD brought a similar defense after being hit with an FTC action last year.
Lawmakers in Congress have debated whether or not the agency’s powers should be clarified, after data breaches at major retailers like Target and Neiman Marcus have exposed millions of people’s information.
Officials at the FTC have said they would welcome a congressional show of support.
— This story was updated at 5:51 p.m.