Court Rules FTC Can Come After Your Company After a Cyber Attack

As if getting hacked isn’t enough to cause your business a headache, now you could be facing regulatory sanctions as well.

A U.S. appeals court ruled this week that the Federal Trade Commission can step in and sue companies that are victims of hacks, in cases where security practices are so lax, they constitute a violation of users’ privacy agreements. That affirmed a lower federal court ruling that also sided with the FTC.

The ruling, from the Third Circuit in Philadelphia, is part of an ongoing lawsuit the FTC brought against hotel chain Wyndham Worldwide.

Wyndham had one of the most egregiously weak security systems and actually was hacked three times in 2008 and 2009, with the theft of data from 619,000 customers, to the tune of $10.6 million in losses, not including unreimbursed charges, lost access to funds and the money spent trying to reverse fraudulent charges. Many were traced back to a Russian hacking operation.

Wyndham appeared to have not even done the most basic in security measures. It stored credit-card data in easily readable formats, it didn’t create firewalls between different systems, it made passwords simple to crack, and it didn’t have a system to alert administrators when a hack took place.

Related: Apple's Tim Cook Made a Rookie Mistake and Might Face SEC Sanctions

Customers, however, thought Wyndham’s systems were more secure…because the company told them so. “We safeguard our Customers’ personally identifiable information by using industry standard practices,” the company said in its privacy policy at the time. “Although ‘guaranteed security’ does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations.”

This raised a “deceptive practices” claim, the appeals court suggested, because customers had an expectation, based on the privacy policy, that their records were secure.

The FTC has argued it can take action against Wyndham because the hotel chain engaged in “unfair cybersecurity practices” that, “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

Wyndham had argued that the FTC didn’t have the authority to take action and that it cannot possibly have been engaged in unfair practices because it was the victim of a crime.

What’s more, it went further to say that, if the court’s allow the FTC to get involved in security, it was also extending its authority to areas like hotel-room door locks.

Related: 4 Ways Stock-Market Volatility Affects Every Business

The appeals court was not amused by that last argument, saying it “is alarmist to say the least and “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

Clearly, the case has an impact on any company engaged in ecommerce, but the extent and reach of the FTC’s authority remains unclear because it’s based on what measures companies take to make their customer data secure. Companies will likely face FTC enforcement action after hacks if they can’t show the agency they took all reasonable measures to protect their systems. But that’s also a moving target.

Take the recent Ashley Madison hack. In that case, cybersecurity experts agree the infidelity site had many strong cyber protections, yet the company still suffered one of the most embarrassing hacks in history, with the release of millions of customer names, emails and credit information, in addition to internal emails from the CEO. That has raised the possibility among cybersecurity professionals that the hack was an inside job or of a level of sophistication not yet seen. The former could raise an FTC claim (a failure by Ashley Madison to monitor its own employees’ access to information) while the latter would be tougher to prove (an advance in criminal capacity not yet imagined by even the most modern security systems).

The court itself didn’t outline a standard for how far companies need to go to protect their customers’ data. But, at the same time, it did suggest many companies probably aren’t doing enough and need to do a better job.

Related: KFC Doubles Down on a Dumb Ad Campaign