Appeals Court Rules FTC Can Regulate Corporate Cyber Security Following High-Profile Security Breaches

There have been several high profile security breaches over the last couple of years, and in many instances, cyber thieves were able to extract personal information of their target's customers. Usually this resulted in the company offering a free year of identity theft protection to those affected, though in the future, firms may not get off quite so easily.

A lower court ruling from 2014 giving the Federal Trade Commission (FTC) the authority to regulate cyber security was upheld recently by the 3rd U.S. Circuit Court of Appeals in Philadelphia by a 3-0 vote. Following the ruling, the FTC may take legal action against Wyndham Worldwide Corp, a hotel operator that owns Days Inn, Howard Johnson, Ramada, Super 8, and Travelodge.


Specifically, the FTC believes Wyndham is ultimately responsible for three separate security breaches occurring in 2008 and 2009. Hackers were able to access and steal personal data belonging to over 619,000 customers combined in those attacks, including credit card information, leading to over $10.6 million in bogus charges.

"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," FTC Chairwoman Edith Ramirez said, according to Reuters.

Naturally, Wyndham disagrees with the ruling. Wyndham argued (unsuccessfully) that giving the FTC this kind of power would essentially mean it could regulate hotel room door locks or even sue grocery stores that don't do a good job cleaning up banana peels.