On December 17, 2015, LifeLock, Inc. agreed to pay $113 million to settle charges made by the FTC that the company had failed to create and maintain a comprehensive information security program to protect customers’ personal data, including social security and bank account information. This was largest monetary award obtained by the FTC in an order enforcement action. Challenging FTC Jurisdiction in Data Security Actions. Does the FTC have the authority to regulate and impose data security standards on private businesses under the FTC Act? For the first time, a business challenged the very authority of the FTC to regulate the data security practices of private businesses in FTC v. Wyndham Worldwide Corp. No. 2:13cv1887 (D.N.J. 2014). The FTC alleged that franchisor Wyndham Hotels and Resorts, along with its affiliates, engaged in deceptive practices by misrepresenting that it used “industry standard practices” and “commercially reasonable efforts” to secure the data it collected from guests and in unfair practices by failing to protect customer data. Between 2008 and 2010, a criminal organization hacked into the property management system multiple times and accessed credit card information from several hundred thousand guests. For its remedies, the FTC sought both monetary damages and a permanent injunction requiring Wyndham and its franchisees to better secure their systems. The FTC has been increasingly aggressive in bringing enforcement actions against private businesses under the FTC Act following data privacy and security breaches. Because these actions generally have been resolved through settlements and consent decrees, there are very few court opinions defining the boundaries of FTC authority in this area. In fact, Wyndham was the first company to overtly challenge the FTC’s authority to regulate and impose data security standards on businesses through enforcement actions under the FTC Act.
30
Made with FlippingBook - Online Brochure Maker