The Third Circuit this week affirmed that the Federal Trade Commission (FTC) has the authority to regulate data security standards of commercial entities.
In FTC v. Wyndham, the agency sued Wyndham hotels after customer financial data was exposed. The FTC alleged that the hotel chain failed to maintain reasonable data security practices, outlined in detail, which led to at the exposure of the consumer data between 2008 and 2010. The company argued that the FTC lacks authority to regulate data security standards of commercial entities, an argument that was overruled in the lower court and again at the US Court of Appeals for the Third Circuit.
The ruling affirms the FTC’s ability to bring data security cases under Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce.” Any act that causes substantial injury to a consumer could be considered an unfair act.
FTC Chairwoman Edith Ramirez notes in a statement to the press, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information."
One of the arguments made against FTC’s authority by Wyndham was that targeted security legislation would be rendered superfluous were the FTC allowed to also impose security standards, standards which are not publicized. We’ve talked here on the InTelligence Blog about the growing number of regulatory bodies stepping up to oversee and penalize organizations over data security issues. While investigations and penalties may indeed be overlapping, could this be said to be superfluous? Or would these cases of double jeopardy instead spur greater investment and preparation into data breach prevention? Though we cannot argue against Wyndham for stating that greater collaboration between the government and private organizations would be a benefit to data security, it remains a critical case for the regulatory environment.
When it is found that your organization has failed to implement proper data protections, you could now find yourself subject to investigations and fines from multiple regulatory bodies for the same data breach event. Investigations and litigations related to a data breach can take years to resolve. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks at Absolute.com.