In a case testing regulators' authority to police companies' cybersecurity practices, a U.S. appeals court said Wyndham Worldwide Corp. must face a suit in which it's accused of failing to secure its computers from Russian hackers.
The court in Philadelphia Monday rejected the hotel chain's bid to end the Federal Trade Commission case.
Wyndham argued at a March 3 hearing that the company, itself a victim, was being penalized unfairly. The FTC says it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches.
Wyndham argued that if the FTC's authority extends that far, the agency has the authority to "regulate the locks on hotel room doors." The court called that argument "alarmist to say the least."
"And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability," the court said in its opinion.
The FTC has settled 53 cases against companies related to data security, including SnapChat Inc., Reed Elsevier Inc. and Credit Karma Inc., the agency said.
Most of the enforcement actions are handled administratively and are resolved through consent orders, with the companies required to strengthen security measures. Wyndham is one of the few to challenge the agency's authority.
"It's the first Court of Appeals decision on the issue and should be viewed and taken by companies that this is a potential area of exposure," said Eric Hochstadt, a partner at Weil, Gotshal & Manges LLP in New York who has been watching the case. "This is definitely an area of growing concern as the underlying misconduct, data breaches, is growing in scope."
In February, the Obama administration proposed empowering the FTC to require companies to abide by principles including transparency on data-collection, giving consumers the right to control personal information.
The agency sued Wyndham after three attacks on its computer network in 2008 and 2009. The company hired five groups of consultants after the attacks, the chain's lawyers said. All failed to uncover how the hackers breached the system.
The breaches compromised more than 619,000 card accounts, with many of the numbers exported to a domain registered in Russia. Fraudulent charges on accounts led to more than $10.6 million in losses.
The appeals court was required to take the FTC's allegations at face value at this stage in the litigation, Wyndham said in a statement.
"Once the discovery process resumes, we believe the facts will show the FTC's allegations are unfounded," Michael Valentino, a spokesman for the company, said in the statement. "Safeguarding personal information remains a top priority for our company and, with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries."
FTC Chairwoman Edith Ramirez said the appeals court decision "reaffirms the FTC's authority to hold companies accountable for failing to safeguard consumer data."
"It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information," Ramirez said in an e-mailed statement.
The case is FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia).