On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US.
In 2008 and 2009, Wyndham suffered three different breaches of its network, ultimately losing payment card information for more than 619,000 customers and causing $10.6 million in loss due to fraud. The FTC sued Wyndham in 2012 for failing to protect its customers from hackers, and Wyndham countered by saying that it was a victim of the hack itself and should not be penalized by the FTC for the breach.
The Philadelphia-based appeals court allowed the FTC’s case against Wyndham to go forward in district court, and it noted that the FTC could use its authority to pursue “cybersecurity” cases under 15 U.S.C. Sec.45, part of a 1914 law that gives the FTC the power to prohibit “unfair or deceptive acts or practices in or affecting commerce.”