[JURIST] The US Court of Appeals for the Third Circuit [official website] on Monday upheld [opinion, PDF] a ruling against defendant Wyndham Worldwide Corporation, essentially granting the Federal Trade Commission (FTC) [official websites] the power to regulate corporate cybersecurity. In 2012, the FTC filed suit against Wyndham in the US District Court for the District of Arizona [official website], alleging unfair and deceptive practices in relation to three data breaches in 2008 and 2009 that led to more than $10 million in fraudulent charges. The case was transferred to the US District Court for the District of New Jersey [official website], where the court denied a motion to dismiss filed by Wyndham on the basis that the FTC lacks the power to regulate cybersecurity, or in the alternative that Wyndham was not given fair notice that their actions were in violation of 15 USC § 45(a) [text] as deceptive or unfair trade practices. Despite ruling, the district court certified the question of fairness to the appeals court. Writing for the appeals court, Judge Thomas Ambro stated, “we have little trouble rejecting Wyndham’s fair notice claim” after considering Wyndham’s failure to use available cybersecurity measures even after being the victim of hacking on multiple occasions. The case will now continue in the district court, where Wyndham has vowed to continue to challenge the FTC’s exercise of power.
The FTC’s stated goal is to “prevent business practices that are anticompetitive or deceptive or unfair to consumers; to enhance informed consumer choice and public understanding of the competitive process; and to accomplish this without unduly burdening legitimate business activity.” To achieve that goal, the FTC has filed and pursued cases against a wide variety of market entities, including the North Carolina Board of Dental Examiners, the pharmaceutical group Actavis and even Google [JURIST reports].