A U.S. appeals court said the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information.
The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.
The FTC wants to hold Wyndham accountable for three breaches in 2008 and 2009 in which hackers broke into its computer system and stole credit card and other details from more than 619,000 consumers, leading to over $10.6 million in fraudulent charges.
Noting the FTC’s broad authority under a 1914 law to protect consumers from unfair and deceptive trade practices, Circuit Judge Thomas Ambro said Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.'”
Wyndham brands include Days Inn, Howard Johnson, Ramada, Super 8 and Travelodge.
A company spokesman, Michael Valentino, said “safeguarding personal information remains a top priority” for the Parsippany, New Jersey-based company. “We believe the facts will show the FTC’s allegations are unfounded,” he added.
FTC Chairwoman Edith Ramirez welcomed the decision.
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” she said.
Congress has not adopted wide-ranging legislation governing data security, a growing concern after high-profile breaches such as at retailer Target Corp, infidelity website Ashley Madison, and even U.S. government databases.
In a test of its power to fill the void, the FTC sued Wyndham in June 2012, claiming its computers “unreasonably and unnecessarily” exposed consumer data to the risk of theft.
Wyndham accused the FTC of overreaching, but U.S. District Judge Esther Salas in Newark, New Jersey, let the case proceed.
Affirming that ruling, Ambro rejected Wyndham’s argument that it lacked “fair notice” about what the FTC could require.
He also rejected what he called Wyndham’s “alarmist” argument that letting the FTC regulate its conduct could give the agency effective authority to regulate hotel room door locks, or sue supermarkets that fail to sweep up banana peels.
“It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” Ambro wrote.
The case is Federal Trade Commission v Wyndham Worldwide Corp et al, 3rd U.S. Circuit Court of Appeals, No. 14-3514.
(Additional reporting by Alina Selyukh in Washington, D.C.)