U.S. Federal Trade Commission Gets Power to Sue Companies for Lax Information Security

U.S. companies that fail to adequately protect their customers’ information due to lax information security can be sued by federal consumer-protection enforcers, based on a new ruling.


27 August 2015

U.S. Federal Trade Commission Gets Power to Sue Companies for Lax Information Security

A new ruling by the Federal Trade Commission (FTC) puts U.S. companies on the hook for failing to protect customers’ digital information. Without adequate protections for customers’ data, federal consumer-protection enforcers can file suit on the customers’ behalf. The decision has sweeping implications for any company that stores, processes or controls sensitive, personal data, and is another sign of increasing regulatory scrutiny as the volume and severity of data breaches escalates.

Following the Philadelphia-based Third U.S. Circuit Court of Appeals ruling, the FTC could move forward with a lawsuit against Wyndham Worldwide Corp for having poor data security practices, with claims that Wyndham was responsible for three data breaches between 2008 and 2010 in which more than 619,000 payment card numbers were stolen by hackers, according to the Wall Street Journal.

Companies Penalized for Failing to Meet Security Standards

The FTC claims that Wyndham failed to follow proper security safeguards which may have prevented the hacks. The court noted that Wyndham left consumer information unprotected by firewalls, didn’t encrypt records, and used outdated software that was unable to receive security updates, said the WSJ. Wyndham argues that the hackers should be held responsible for the theft. However, after being hacked three times, there is clearly a security issue which: “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability,” judge Ambro wrote in the court’s opinion. The court rejected Wyndham’s argument; the FTC Chairwoman said the decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

This ruling comes soon after Target settled a class-action lawsuit for $10 million related to the company’s 2013 data breach earlier this year. With 42 million credit and debit card accounts affected by the breach during that holiday shopping season, and another 61 million having their personal data stolen, the new FTC regulation supports these lawsuits, laying fault with Target and fining them millions of dollars. Target’s lawsuit required the company to appoint a chief information security officer, institute an information security program to document potential risk, and offer security training to relevant workers about safeguarding personal information. Perhaps if they’d had these safeguards in place from the get go, the breach could have been prevented, or at least mitigated in some way, saving them millions of dollars and lots of angst.

Companies, especially those operating in regulated industries, need to address the issues of information security, or risk putting themselves, their clients’, their partners’ and other providers’ data in jeopardy. Traditional methods for collaborating on and transferring critical data containing personal information is at the forefront of regulators’ minds. At Intralinks, we are committed to leading the market for secure collaboration by building a platform that supports the enterprise collaboration security requirements on the horizon.



Pete Brown

Pete Brown

Pete Brown is the Director of Product Marketing at Intralinks. He has broad industry experience in SaaS applications, with deep expertise in trends and technologies related to information sharing, mobile work and data storage. In his previous role at Sonain, Pete led product marketing for cloud-based email archive with responsibilities including developing market requirements, competitive intelligence and channel enablement programs.