From: JDSupra Business Advisor
In April, Edith Ramirez, Chairwoman of the FTC, and Julie Brill, FTC Commissioner, tweeted: “Pleased the court recognized @FTC’s authority to hold biz accountable for safeguarding consumer data & look forward to trying this case.” This tweet was celebratory, but signaled caution to companies regulated by the Federal Trade Commission (FTC).
The tweet referred to the decision of the United States District Court for the District of New Jersey in FTC v. Wyndham Worldwide Corp., which affirmed that the FTC has authority to regulate cybersecurity under Section 5 of the Federal Trade Commission Act (FTCA). The FTC had charged the hotel chain with unfair and deceptive trade practices “in connection with [Wyndham’s] failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” The FTC alleged that Wyndham’s security failures allowed hackers to access its Phoenix, Arizona data center in three data breaches in 2008 and 2009, during which consumers’ accounts were exposed, more than $10.6 million in fraud loss was incurred, and consumers’ payment card account information was exported to a Russian-registered domain. The FTC claimed certain statements on Wyndham’s website and privacy policies were deceptive, including the hotel chain’s assertion: “We safeguard our Customers’ personally identifiable information by using industry standard practices. Although ‘guaranteed security’ does not exist either on or off the Internet, we take commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”