By Sophia Pearson, Bloomberg News
In a case testing regulators’ authority to police companies’ cybersecurity practices, a U.S. appeals court said Wyndham Worldwide Corp. must defend a suit in which it’s accused of failing to secure its computers from Russian hackers.
The court in Philadelphia Monday rejected the hotel chain’s bid to end the Federal Trade Commission case.
Wyndham argued at a March 3 hearing that the company, itself a victim, was being penalized unfairly. The FTC says it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches.
Wyndham argued that if the FTC’s authority extends that far, the agency has the authority to “regulate the locks on hotel room doors.” The court called that argument “alarmist to say the least.”
“And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” the court said in its opinion.
The FTC sued Wyndham after three attacks on the company’s computer network in 2008 and 2009. Wyndham hired five groups of consultants after the attacks, the chain’s lawyers said. All failed to uncover how the hackers breached the system.
The breaches compromised more than 619,000 card accounts with many of those numbers exported to a domain registered in Russia. Fraudulent charges on accounts led to more than $10.6 million in losses.
In February, the Obama administration proposed empowering the FTC to require companies to abide by principles including transparency on data-collection activities, giving consumers the right to control personal information.
The case is FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia).
For more news, visit Bloomberg Business.