The Federal Trade Commission received a boost to its authority to prosecute data security breaches when a New Jersey judged allowed its case against a hacked hotel chain to move forward.

Credit - Flickr user jay d
Credit – Flickr user jay d

District Court Judge Esther Salas shot down Wyndham’s claim that the FTC is exceeding its authority by regulating data security and hacked companies. In 2012, the FTC charged Wyndham with unfair and deceptive practices after thousands of customers’ credit card information and personal data was exposed in multiple system attacks from 2008 to 2011. Salas decided against the hotel chain’s attempts to wiggle out of the suit because even though enforcement authority section that the FTC brought the suit under doesn’t explicitly say “data security,” writes Harriet Pearson and Bret Cohen in Chronicle of Data Protection.

Judge Salas ruled that laws that expressly grant the FTC the ability to regulate data security – such as the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Children’s Online Privacy Protection Act – do not preclude its ability to regulate data security under its unfairness authority, but rather complement it.  Moreover, the judge concluded that a few statements made by the FTC implying that the agency did not have the authority to regulate data security did not diminish its ability to bring data security claims under Section 5.

The FTC has been adamant about prosecuting data security hacks and flaws under Section 5. Within the past year, the FTC has settled suits against Credit Karma, Fandango, Accretive Health, GMR Transcription Services and Fantage after pursuing them for shady privacy policies . Since the agency started enforcing data security a decade ago,it has settled more than 50 related cases, according to Anne Foster in Health Law Update.

In the settlements with Credit Karma and Fandango over their smartphone apps, neither company was hacked – like in Wyndham’s case – but had merely had “a security shortcoming that could have allowed an attacker to connect to the app[s],” according to Steve Satterfield for Inside Privacy.

But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act.  Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.

The complaints assert that the respondents violated Section 5 by engaging in practices inconsistent with representations made to consumers about the security that would be provided for personal information.  In other words, the cases are classic FTC deception cases.

This highlights the broad authority of the FTC when it comes to what it deems to be security and privacy flaws. Sanjay Nangia points out that directly exposing consumer data is needed to have the FTC on your company’s tail because “the violations stem from mere failure to invest the time and security resources needed to protect data.”

Perhaps most surprising to companies is the FTC’s assertion that it may require them to have reasonable data protection policies in place (even if the company never promised consumers it would safeguard the data). Failure to secure data, according to the FTC, is an “unfair” practice under the FTC Act. … [T]he FTC has alleged that Wyndham failed to adequately protect consumer data collected by its member hotels. According to the FTC, hackers repeatedly accessed the data due to the company’s wrongly configured software, weak passwords, and insecure servers. Though Wyndham’s Privacy Policy did not technically promise that the information would remain secure, the FTC faulted it for the lapse anyway.

Wyndham wasn’t the first company to challenge the FTC’s authority. LabMD, a medical testing company, wanted the FTC’s case against them struck dead because the government agency couldn’t regulate them since it already had to comply with HIPAA  and Health and Human Services. When dismissing that motion, the FTC said that it also has the right to regulate health information.

Because of the multiple statutes governing the FTC, it can be difficult to know if you’re breaking their data security rules until it’s contacting your legal department. The rapid updates to technology and the skills of hackers hasn’t made cyber security any easier.

At least the FTC has been proactive about developing rules that keep up with the changes in tech. In February, Chairwoman Edith Ramirez called on Congress to pass bipartisan cybersecurity legislation to establish a national standard and strengthen its authority.

In her decision, Salas reiterates that Congress does give the FTC to pursue data breaches, and the agency is under no obligation to detail its data security practices to reduce ambiguity.