Courts Affirm FTC Authority to Punish Companies for Lax Cybersecurity

Since 2002, the Federal Trade Commission has been pursuing businesses for sub-substandard cyber-security practices under Section 5 of the FTC Act, which empowers the FTC to crackdown on unfair business practices.
Courts Affirm FTC Authority to Punish Companies for Lax Cybersecurity
Federal Trade Commission Chair Edith Ramirez in Washington on Jan. 15, 2014. AP Photo/Susan Walsh
|Updated:

Since 2002, the Federal Trade Commission has been pursuing businesses for sub-substandard cybersecurity practices under Section 5 of the FTC Act, which empowers the FTC to crackdown on unfair business practices.

The law didn’t explicitly grant the FTC the power to regulate cybersecurity, but until 2012, no company had ever challenged the FTC’s authority, always choosing to settle with the agency. Settlements usually included a package of data security reform and program monitoring, often for as long as 20 years.

However, in 2012, the hotel chain Wyndham Worldwide challenged the FTC’s imposition of reform in court after the company suffered a data breach in 2008 and 2009, arguing that the “unfair” clause didn’t cover cybersecurity. Hackers obtained the credit card information, which had been unencrypted on Wyndham’s database, on over half a million customers after they successfully brute-forced an administrator’s account.

The FTC alleges that Wyndham made avoidable security errors.
Jonathan Zhou
Jonathan Zhou
Author
Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.
Related Topics