Court Rules FTC Can Come After Your Company After a Cyber Attack in a closely watched ruling, an appeals court says victims of hackers have liability for unfair-practices claims.

By Ray Hennessey

Opinions expressed by Entrepreneur contributors are their own.

Mark Van Scyoc |

As if getting hacked isn't enough to cause your business a headache, now you could be facing regulatory sanctions as well.

A U.S. appeals court ruled this week that the Federal Trade Commission can step in and sue companies that are victims of hacks, in cases where security practices are so lax, they constitute a violation of users' privacy agreements. That affirmed a lower federal court ruling that also sided with the FTC.

The ruling, from the Third Circuit in Philadelphia, is part of an ongoing lawsuit the FTC brought against hotel chain Wyndham Worldwide.

Wyndham had one of the most egregiously weak security systems and actually was hacked three times in 2008 and 2009, with the theft of data from 619,000 customers, to the tune of $10.6 million in losses, not including unreimbursed charges, lost access to funds and the money spent trying to reverse fraudulent charges. Many were traced back to a Russian hacking operation.

Wyndham appeared to have not even done the most basic in security measures. It stored credit-card data in easily readable formats, it didn't create firewalls between different systems, it made passwords simple to crack, and it didn't have a system to alert administrators when a hack took place.

Related: Apple's Tim Cook Made a Rookie Mistake and Might Face SEC Sanctions

Customers, however, thought Wyndham's systems were more secure…because the company told them so. "We safeguard our Customers' personally identifiable information by using industry standard practices," the company said in its privacy policy at the time. "Although "guaranteed security' does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations."

This raised a "deceptive practices" claim, the appeals court suggested, because customers had an expectation, based on the privacy policy, that their records were secure.

The FTC has argued it can take action against Wyndham because the hotel chain engaged in "unfair cybersecurity practices" that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

Wyndham had argued that the FTC didn't have the authority to take action and that it cannot possibly have been engaged in unfair practices because it was the victim of a crime.

What's more, it went further to say that, if the court's allow the FTC to get involved in security, it was also extending its authority to areas like hotel-room door locks.

Related: 4 Ways Stock-Market Volatility Affects Every Business

The appeals court was not amused by that last argument, saying it "is alarmist to say the least and "invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability."

Clearly, the case has an impact on any company engaged in ecommerce, but the extent and reach of the FTC's authority remains unclear because it's based on what measures companies take to make their customer data secure. Companies will likely face FTC enforcement action after hacks if they can't show the agency they took all reasonable measures to protect their systems. But that's also a moving target.

Take the recent Ashley Madison hack. In that case, cybersecurity experts agree the infidelity site had many strong cyber protections, yet the company still suffered one of the most embarrassing hacks in history, with the release of millions of customer names, emails and credit information, in addition to internal emails from the CEO. That has raised the possibility among cybersecurity professionals that the hack was an inside job or of a level of sophistication not yet seen. The former could raise an FTC claim (a failure by Ashley Madison to monitor its own employees' access to information) while the latter would be tougher to prove (an advance in criminal capacity not yet imagined by even the most modern security systems).

The court itself didn't outline a standard for how far companies need to go to protect their customers' data. But, at the same time, it did suggest many companies probably aren't doing enough and need to do a better job.

Related: KFC Doubles Down on a Dumb Ad Campaign

Ray Hennessey

Former Editorial Director at Entrepreneur Media

Ray Hennessey is the former editorial director of Entrepreneur.

Editor's Pick

Related Topics

Business News

'Please Fix This': Elon Musk Frantically Emails Employees During Livestream Glitch

Musk attempted to livestream his visit to the U.S.-Mexico border.

Business News

These NYC Roommates Created a Fake Restaurant and Accidentally Garnered a 2,000-Person Waitlist — So They Opened a Pop-up for Real.

The Gen Z'ers dubbed their apartment "Mehran's Steak House" on Google Maps during the pandemic.


A Guide to Effective Crisis Leadership — Key Steps to Lead Your Team Through Turbulent Times

The essential strategies and skills required to be a successful crisis leader and guide your organization through difficult times.

Business News

Katy Perry Is Fighting the Founder of 1-800-Flowers for a $15 Million California Mansion He Doesn't Want to Sell Her

The eight-bedroom, 11-bathroom estate sits on nearly nine acres in the Santa Ynez foothills in Montecito.

Personal Finance

5 Entrepreneurial Mindset Principles That Empower Financial Literacy

Adopting the right mindset is key to financial literacy. Follow these five guiding principles to enhance your understanding of wealth creation and growth.

Business Ideas

55 Small Business Ideas to Start in 2023

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2023.