A recent unanimous decision by the U.S. Court of Appeals for the Third Circuit is poised to have a considerable impact on cybersecurity for American corporations, including those in the U.S. Virgin Islands.
The decision in Federal Trade Commission v. Wyndham Worldwide Corp. puts to rest an ongoing debate regarding the oversight of corporate cybersecurity, with the Federal Trade Commission Act, the Fair Credit Reporting Act, the Stored Communications Act, and various state laws all potentially having a role to play in safeguarding against cyber threats. According the Third Circuit’s decision, the regulation of cybersecurity falls within the purview of the FTC, which means businesses operating under U.S. law are now responsible to the Commission when it comes to implementing appropriate security measures.
The Wyndham case grew out of a series of severe data breaches involving the hotel management firm. Hackers accessed more than 600,000 Wyndham customers’ personal information—including credit card numbers—and engaged in fraudulent activity. In total, it is believed that at least $10.6 million in lost funds can be traced back to the data breach.
Part of the reason why the Wyndham decision is so important to American businesses is that, in an age of increasing reliance on technology, the ease with which company or customer information can be accessed by third parties creates the potential for serious breaches, thus making it all the more urgent that businesses take the proper steps to avoid data compromises in the first place. Companies need to revisit their privacy policies, their data collection policies and practices and their security measures in order to make sure both they and their customers or clients are well protected. They also need to hold their policies up against industry-specific rules and state or territorial laws to ensure full compliance.
For the FTC’s part, the Third Circuit ruled that the Commission has the power to oversee cybersecurity because data breaches like Wyndham’s constitute acts of unfairness or deception toward customers. In short, because Wyndham had a privacy policy in place, failed to abide by it and exposed customers to financial losses—while still benefiting as a company by keeping the profits associated with attracting those customers in the first place—the firm acted unfairly toward its customers, thereby violating the Federal Trade Commission Act.
In the wake of Wyndham—and with the threat of cybersecurity breaches growing stronger and more complex all the time—it’s becoming increasingly critical that businesses take the steps necessary to ensure the security of company and customer data. But as the decision highlighted, it’s not enough to merely attempt to implement security measures—it’s also important that businesses and corporations educate themselves on processes and systems currently available, to make sure they’re doing everything within the power to guard sensitive data.
If you have concerns about your company’s cybersecurity or would like to better understand how the Wyndham decision affects your business, reach out to a skilled business law attorney with specialized expertise in data privacy and FTC enforcement, such as the attorneys at Bolt Nagi.
BoltNagi is an established and widely respected corporate law firm serving businesses and organizations throughout the U.S. Virgin Islands.