For companies like the dating site Ashley Madison or the health insurer Anthem, financial loss, customer anger and professional embarrassment aren't the only consequences of getting massively gutted by hackers. Now a court has confirmed that there's a three-letter agency that can dish out punishment, too.
In a decision published Monday, a U.S. appellate court ruled that the Federal Trade Commission has the authority to sue Wyndham Hotels for allowing hackers to steal more than 600,000 customers' data from its computer systems in 2008 and 2009, leading to more than $10 million in fraudulent charges. The ruling more widely cements the agency's power to regulate and fine firms that lose consumer data to hackers, if the companies engaged in what the FTC deems "unfair" or "deceptive" business practices. At a time when ever-more-private data is constantly getting breached, the decision affirms the FTC's role as a digital watchdog with actual teeth.
The FTC originally sued Wyndham in 2012 over the lack of security that led to its massive hack. But before the case proceeded, Wyndham appealed to a higher court to dismiss it, arguing that the FTC didn't have the authority to punish the hotel chain for its breach. The third circuit court's new decision spells out that Wyndham's breach is exactly the sort of "unfair or deceptive business practice" the FTC is empowered to stop, sending Wyndham back to face the FTC's lawsuit in a lower court.
"A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business," reads the court's ruling.
For consumer privacy watchdogs, the ruling comes as a relief, solidifying another serious legal incentive for companies to invest in protecting their customers' data, according to Electronic Privacy Information Center attorney Alan Butler. "This a huge victory for the FTC, but also for American consumers," says Butler, who filed an amicus brief defending the FTC's authority earlier in the case. "We see services and companies being hacked on an almost daily basis now. Having the FTC out there, bringing actions against companies that fail to protect consumers’ data is a critical tool."
Wyndham Hotels, for its part, vowed to continue its case in the lower court. The company points out that the appellate court ruled on the FTC's authority, not the specific allegations the agency made against Wyndham, namely that it had failed to adequately protect its customers. "We believe the facts will show the FTC’s allegations are unfounded," reads a statement from Wyndham spokesperson Michael Valentino. "Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
Even if Wyndham does eventually lose its case against the FTC, it likely won't be fined, says Berkeley Law professor Chris Hoofnagle. Instead, it could face the kind of privacy probation that is a frequent outcome of the FTC’s privacy suits against firms, in which the agency closely oversees its data protection systems for a period as long as 20 years, with the option to later impose fines for any violation of the standards it imposes.
But aside from Wyndham itself, the appellate ruling establishes a more important precedent for the legal consequences of a data breach. "Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security," says Hoofnagle, describing that avoided outcome as a "disaster" for the agency. "This is a major deal."
In its original lawsuit, the FTC accused Wyndham of a long litany of privacy fails, from storing credit card information unencrypted to lacking firewalls to using easily-guessed passwords. The agency compared those practices to Wyndham's published privacy policy—which promised that it did use some kinds of encryption to protect consumer data as well as firewalls and other "safeguards"—and argued that its insecurity amounted to "unfair" business practices.
Wyndham had specifically challenged that "unfair" claim, arguing that it hadn't actually engaged in the "unscrupulous or unethical behavior" that it said the FTC's standard requires. But the appellate court wasn't persuaded; It ruled that the alleged mismatches between its data protection and its privacy policy were sufficient to meet that "unfair" standard, without any accusations of "unethical" behavior necessary.
The Court also rejected another argument from Wyndham that if the FTC were allowed to punish companies for this sort of data breach, it would be allowed to sue any supermarket that's “sloppy about sweeping up banana peels,” opening the door to unfair practice claims run amok. On that point, the Court snapped back: "Were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability."
The appellate ruling doesn't necessarily grant the FTC new powers so much as dispel legal questions around the power it already possesses to be a data security watchdog, says Berkeley's Hoofnagle. As data breaches increasingly become a source of real suffering for consumers—see the reports of suicides that have already resulted from Ashley Madison's scandalous data spill—the agency's mandate more important than ever.
"The law has always imposed responsibility on companies for the care of their customers. When you’re in the restaurant you have to be protected against slips and falls or food-borne illness," says Hoofnagle. "Data is just something new that companies have to protect if they want to bear the benefits of collecting it."
