Court confirms: You can be sued by gov’t for data breaches

A landmark court ruling came down this week with far-reaching implications for businesses. What it means for you: If you’re not doing enough to protect customer data, the Federal Trade Commission (FTC) can sue for deceptive business practices. 

Here’s the rundown of the case: Hackers hit Wyndham Hotels hard in recent years. They stole personal information, credit card numbers and more, which resulted in millions in fraudulent charges.

The FTC went after Wyndham in court. It said the company failed to take the most basic security precautions: storing data in clear text, using firewalls, protecting data, using simple passwords, etc.

‘Unfair business practices’

The most controversial part of the case was what FTC alleged. It said that failing to provide adequate security for customers amounted to unfair and deceptive business practices, which FTC has the power to sue over.

Wyndham fought back. It claimed the case should be dismissed because it’s business practices weren’t unfair – it had been the victim of hackers, not the perpetrators of the crime.


But that didn’t fly with the appeals court. The court said that even if the security shortcomings weren’t the proximate cause of the stolen identities, the crime was foreseeable given the total lack of security measures.

Wyndham tried one more defense, that labeling the business practice as “unfair” would be tantamount to suing a supermarket that was sloppy about sweeping up banana peels. The court shot this down, amusingly stating that:

“it invites the 21 tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [the unfair business practices clause].”

So what does it all mean?

Wyndham will now have to return to a lower court to fight this lawsuit. But the effects of this case stretch far beyond one hotel chain’s security nightmare.

Experts now predict that given this win, FTC will come after companies that get hit by hackers in the future. Since the court has established a precedent that security breaches can result in FTC suits, expect the agency to start poking around other companies’ security policies following breach discoveries.

And there won’t have to be a smoking gun, either. While Wyndham was hit for having inadequate security, the court said that FTC had no duty to outline specific steps the hotel chain could’ve taken. Just arguing that it didn’t have enough data security in place was enough to allow the lawsuit to go forward.

Address security ASAP

For the many organizations wondering how they’ll be able to convince higher-ups that security matters, here’s your answer.

Breaches won’t just cause lost customers, reputation and revenue – they can now lead to government agencies dragging executives into court to explain why they weren’t doing enough to protect data.

If you’re not keeping up with industry standards, let alone basic security, a breach could only be the beginning of your troubles. Whatever the hackers don’t make off with, the government could go after in court.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy