Since 2002, the Federal Trade Commission has been pursuing businesses for sub-substandard cybersecurity practices under Section 5 of the FTC Act, which empowers the FTC to crackdown on unfair business practices.
The law didn’t explicitly grant the FTC the power to regulate cybersecurity, but until 2012, no company had ever challenged the FTC’s authority, always choosing to settle with the agency. Settlements usually included a package of data security reform and program monitoring, often for as long as 20 years.
However, in 2012, the hotel chain Wyndham Worldwide challenged the FTC’s imposition of reform in court after the company suffered a data breach in 2008 and 2009, arguing that the “unfair” clause didn’t cover cybersecurity. Hackers obtained the credit card information, which had been unencrypted on Wyndham’s database, on over half a million customers after they successfully brute-forced an administrator’s account.