A federal court in New Jersey this week affirmed the Federal Trade Commission's contention that it can sue companies on charges related to data breaches, a major victory for the agency.
Judge Esther Salas of the U.S. District Court for the District Court of New Jersey ruled that the FTC can hold companies responsible for failing to use reasonable security practices.
Wyndham Worldwide Corp. had challenged a 2012 FTC lawsuit in connection with a data breach that exposed hundreds of thousands of credit and debit cards and resulted in more than $10.6 million in fraud losses.
The lawsuit accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was adequately protected after the hotel operator suffered three major data breaches in two years.
The lawsuit was similar to several other lawsuits filed by the agency in recent years against companies that suffered data breaches. In most cases, breached entities settled the cases with the FTC
Wyndham was one of the just two companies so far to challenge such FTC lawsuits. The other, LabMD, an Atlanta-based medical laboratory, claimed a similar FTC lawsuit forced it to close its doors.
In its lawsuit, Wyndham questioned whether the FTC has the authority to take enforcement action against breached entities.
Several trade groups and the U.S. Chamber of Commerce also question the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act. They accused the agency of trying to hold companies to security standards not included in FTC guidelines.
Wyndham and its supporters contend that Congress hasn't given the FTC the authority to regulate data security. Wyndham also challenged the FTC's claim it had deceived customers. The company asked the court to dismiss all of the FTCs claims against it.
Security and legal experts saw the case as a landmark test of the agency's authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this clause to force numerous settlements, or "consent decrees," from companies that suffered data breaches.
In her 46-page ruling Judge Salas rejected all of the Wyndham's claims and held that the FTC does have the authority to hold companies accountable for breaches resulting from their failure to apply proper security controls. The court held that the FTC does not need to issue any guidelines in order for it to hold companies accountable for breaches.
The ruling is a major victory for the FTC and could set the stage for more lawsuits, said Scott Vernick, a Fox Rothschild attorney who specializes in online privacy and rights issues.
"The main takeaway is that the FTC is here to stay," Vernick said. "If the decision holds the FTC will become more aggressive in enforcement action."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.
This story, "FTC can sue companies hit with data breaches, court says" was originally published by Computerworld.