The U.S. Court of Appeals for the Third Circuit ruled unanimously that the agency can go forward with a lawsuit alleging that the Wyndham Worldwide Corp. did not do enough to safeguard its customers’ personal data.
Advertisement
These hackers stole credit card and other personal details from more than 619,000 consumers, leading to more than $10.6 million in fraudulent charges.
A representative of Wyndham wasn’t immediately available for comment.
The court’s decision effectively affirms the FTC’s authority to impose punishments on companies whose weak security practices lead to data breaches and consumer losses.
The U.S. Court of Appeals for the Third Circuit in Philadelphia denied Wyndham’s motion to dismiss the case.
The FTC claims in its suit against Wyndham that the company’s cybersecurity conduct constituted unfair practice and that its privacy policy was misleading to customers. Critics have argued the agency has no clearly defined cybersecurity standards for companies to follow.
FTC Chairwoman Edith Ramirez said the decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data”.
The company’s hotels stored payment card information in clear, readable text, and it used easily guessed passwords to access its property management systems, the FTC alleged. The commission sued Wyndham in June 2012, “claiming that the company’s computer systems unreasonably and unnecessarily exposed consumer data to the risk of theft”, according to CNBC.
When corporation databases are breached by hackers who steal consumers’ private information, the company response often amounts to little more than “Sorry about that”. Lawmakers in Congress haven’t passed comprehensive data-security legislation, and the FTC has sought to step into that void, bringing more than 50 data-security cases based on its authority to take action against unfair and deceptive business practices. Wyndham argued that that the company was also a victim of the hackings and was being penalized unfairly, Bloomberg said.
The panel also rejected Wyndham’s argument that the FTC hadn’t provided companies with guidance on what cybersecurity measures it considers reasonable and appropriate.
Advertisement
Appeals court Judge Thomas Ambro rejected that argument.
