Black Friday Sale! 50% Off All Access

Court Rules FTC Can Come After Your Company After a Cyber Attack in a closely watched ruling, an appeals court says victims of hackers have liability for unfair-practices claims.

By Ray Hennessey Edited by Dan Bova

Entrepreneur+ Black Friday Sale

Our biggest sale — Get unlimited access to Entrepreneur.com at an unbeatable price. Use code SAVE50 at checkout.*

Claim Offer

*Offer only available to new subscribers

Opinions expressed by Entrepreneur contributors are their own.

Mark Van Scyoc | Shutterstock.com

As if getting hacked isn't enough to cause your business a headache, now you could be facing regulatory sanctions as well.

A U.S. appeals court ruled this week that the Federal Trade Commission can step in and sue companies that are victims of hacks, in cases where security practices are so lax, they constitute a violation of users' privacy agreements. That affirmed a lower federal court ruling that also sided with the FTC.

The ruling, from the Third Circuit in Philadelphia, is part of an ongoing lawsuit the FTC brought against hotel chain Wyndham Worldwide.

Wyndham had one of the most egregiously weak security systems and actually was hacked three times in 2008 and 2009, with the theft of data from 619,000 customers, to the tune of $10.6 million in losses, not including unreimbursed charges, lost access to funds and the money spent trying to reverse fraudulent charges. Many were traced back to a Russian hacking operation.

Wyndham appeared to have not even done the most basic in security measures. It stored credit-card data in easily readable formats, it didn't create firewalls between different systems, it made passwords simple to crack, and it didn't have a system to alert administrators when a hack took place.

Related: Apple's Tim Cook Made a Rookie Mistake and Might Face SEC Sanctions

Customers, however, thought Wyndham's systems were more secure…because the company told them so. "We safeguard our Customers' personally identifiable information by using industry standard practices," the company said in its privacy policy at the time. "Although "guaranteed security' does not exist either on or off the Internet, we make commercially reasonable efforts to make our collection of such Information consistent with all applicable laws and regulations."

This raised a "deceptive practices" claim, the appeals court suggested, because customers had an expectation, based on the privacy policy, that their records were secure.

The FTC has argued it can take action against Wyndham because the hotel chain engaged in "unfair cybersecurity practices" that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

Wyndham had argued that the FTC didn't have the authority to take action and that it cannot possibly have been engaged in unfair practices because it was the victim of a crime.

What's more, it went further to say that, if the court's allow the FTC to get involved in security, it was also extending its authority to areas like hotel-room door locks.

Related: 4 Ways Stock-Market Volatility Affects Every Business

The appeals court was not amused by that last argument, saying it "is alarmist to say the least and "invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability."

Clearly, the case has an impact on any company engaged in ecommerce, but the extent and reach of the FTC's authority remains unclear because it's based on what measures companies take to make their customer data secure. Companies will likely face FTC enforcement action after hacks if they can't show the agency they took all reasonable measures to protect their systems. But that's also a moving target.

Take the recent Ashley Madison hack. In that case, cybersecurity experts agree the infidelity site had many strong cyber protections, yet the company still suffered one of the most embarrassing hacks in history, with the release of millions of customer names, emails and credit information, in addition to internal emails from the CEO. That has raised the possibility among cybersecurity professionals that the hack was an inside job or of a level of sophistication not yet seen. The former could raise an FTC claim (a failure by Ashley Madison to monitor its own employees' access to information) while the latter would be tougher to prove (an advance in criminal capacity not yet imagined by even the most modern security systems).

The court itself didn't outline a standard for how far companies need to go to protect their customers' data. But, at the same time, it did suggest many companies probably aren't doing enough and need to do a better job.

Related: KFC Doubles Down on a Dumb Ad Campaign

Ray Hennessey

Former Editorial Director at Entrepreneur Media

Ray Hennessey is the former editorial director of Entrepreneur.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business Solutions

Elon Musk Taught Himself to Code. Now It's Your Turn.

This early Black Friday deal comes with everything you need for $56.

Growing a Business

Small Business Saturday Is a $200 Billion Boon for Entrepreneurs — Here's How One Wine Shop Makes the Most of It: 'Every Year Our Revenue Goes Up'

Daneen and Pascal Lewis opened Harlem Wine Gallery in 2016, and the business has been growing ever since.

Making a Change

These Are the Two Words That Inspired NBA MVP Russell Westbrook to Achieve Greatness on the Court, in Business, and in His Community

Russell Westbrook breaks down the simple phrase that drives his philanthropy, entrepreneurship, and community work.

Franchise

The Largest Franchise Operator in the U.S. Just Acquired 32 More Wendy's Locations, Adding to Its $4.5 Billion Portfolio

In a strategic move to bolster its quick-service holdings, Flynn Group has acquired 32 Wendy's restaurants in the Indianapolis area.

Growing a Business

Annual Recurring Revenue — What It Is, Why It Matters and 3 Simple Tips for Increasing Yours

Unlock the secret to skyrocketing your subscription revenue! Discover how ARR can fuel your business growth with strategic pricing, retention tactics and value-driven promotions that keep customers hooked and profits climbing.