A recent decision by the U.S. Court of Appeals for the Third Circuit—FTC v. Wyndham Worldwide Corporation—may prove to be a watershed moment for the development of federal privacy law.
The Federal Trade Commission is an executive agency charged with taking action against “unfair” trade practices. In the absence of a coordinated response at the federal level to the dramatic increase in data breaches in recent years, the FTC has taken it upon itself to act against poor cybersecurity practices, deeming them unfair trade practices.
After the Wyndham hotel chain suffered three data breaches in less than two years, the FTC filed suit against the company. According to the complaint, Wyndham’s poor data security practices were responsible for the breaches, and resulted in millions of dollars of fraudulent charges on consumers’ credit and debit cards, as well as the transfer of hundreds of thousands of consumers’ account information to a Russian website.
Wyndham tried to get the case dismissed on the grounds that regulating cybersecurity practices is outside the FTC’s jurisdiction. The trial court denied Wyndham’s motion, and the recent decision by the Third Circuit upheld that ruling. As a consequence, companies can now expect the newly emboldened FTC to significantly expand its efforts in this area. As it does with other types of unfair business practices, the FTC is likely to make high-profile examples out of several companies in order to set a standard of care and to encourage all U.S. businesses to meet that standard.
Indeed, there are already lessons to learn from the Wyndham case. Some of the shortcomings identified in Wyndham’s data security practices as identified by the FTC and the courts include the failure to use firewalls at critical network points, a lack of restrictions on specific IP addresses, neglecting to encrypt customer files, and not requiring users to change their default or factory-setting passwords. While the FTC has identified these circumstances as particularly egregious, it is likely that many other companies have been equally neglectful of customer privacy. It has yet to be seen which combination of security precautions will meet the FTC’s expectations, but the time for all companies to thoughtfully re-evaluate their cybersecurity practices is clearly now.