A federal court has said the FTC had the ability to regulate cybersecurity under its unfairness authority when it filed suit against hotel company Wyndham and that Wyndham was not entitled to know the exact cybersecurity standards it would be held to.
"Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.
Instead, the company can only claim that it lacked fair notice of the meaning of the statute itself," the court said, a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts of this case."
That came in a decision of a three-judge panel of the U.S. Court of Appeals for the Third Circuit Monday upholding a lower court decision not to dismiss the FTC suit, as Wyndham had asked.
The hackers got encrypted information from over 500,000 accounts which were sent to a domain name in Russia.
The court had some fun with Wyndham's argument that if the FCC's unfairness authority extends to conduct (insufficiently protecting information), it has the ability to sue supermarkets that are "sloppy about sweeping up banana peels."
"The argument is alarmist to say the least," said the court, "and it invites the "tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability..."
Wyndham spokespeople were not immediately available for comment, but they could appeal the decision to the full court.
“While we are disappointed by the opinion, we continue to contend the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security," Wyndham said in a statement.
"It is important to note that today’s opinion was decided solely upon our motion to dismiss the FTC’s complaint, which requires the Third Circuit to take the FTC’s allegations at face value. Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded. Safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”