Those following the FTC Wyndham case just heard that the federal court rejected Wyndham’s challenge of the FTC’s authority to enforce data security as an unfair trade practice. In its original lawsuit, the FTC accused Wyndham of a long litany of privacy fails, from storing unencrypted credit card information to lacking firewalls to using easily-guessed passwords.

The far reaching implications of this recent decision are widespread. The basis for this suit is that consumers felt safe doing business with Wyndham based in part on a promise made that their data was safe. FTC also went after LifeLock for the same reason. The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was viewable to more employees than only those on a “need to know basis.” In fact, the agency charged, LifeLock’s data system was vulnerable and could have been exploited by those seeking access to customer information” basis. LifeLock lost that case.

Since the mid-1990s, the FTC has been enforcing Section 5 of the FTC Act, 15 U.S.C. § 45, in instances involving privacy and data security. Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce.” During the past 15-20 years, the FTC has brought about 180 enforcement actions, the vast majority of which have settled.  The  key to the FTC’s argument is clear: Deception and unfairness are valid bases for FTC enforcement. Wyndham was one of the exceptions; instead of settling, it challenged the FTC’s authority to enforce to protect data security as an unfair trade practice.

To better grasp unfair trade practice think about the way the recent hackers of Ashley Madison justified their actions. Supposedly the motivation for the Ashley Madison Hack is to punish the company for promising subscribers that they were not vulnerable (as did LifeLock) and accepting money to wipe out their data even though the data was never wiped out. Whether you agree with the right to privacy of users of that site or the hacker’s activist datadump, the reality is a company made (lots of) money based on a promise that was knowingly not able to be kept and thus, it seen as deceiving their subscriber base into a false sense of security.

With Wyndam, they were breached three different times… The FTC viewed that the company had not taken the steps that are considered standard and reasonable to protect the data.

Why this and the 7th circuit’s recent decision about Neiman Marcus dovetail nicely is that actual injury should the data get in the wrong hands no longer has to happen for someone to have been victimized. I want to reiterate one great line the ruling: “And the FTC Act expressly contemplates the possibility that conduct can be unfair before actual injury occurs.” This line is key, as “actual injury” (or harm) is often a basis for many courts to dismiss privacy and data security cases.  The court makes clear here that “substantial injury” for FTC Act unfairness does not require actual injury. The FTC Act protects consumers against reasonably foreseeable harms when a company’s conduct facilitates these harms — even when a company’s conduct might not be “the most proximate cause of an injury.”

The takeaway? The assurances given to consumers about how you protect their information are subject to scrutinization by the law and compared to the ways you actually protect the data and whether you are going above and beyond the minimums ‘required’ by industry standards such as PCI DSS. If the government feels consumers have been ‘misled’ and as we can see in cases like LifeLock and Ashley Madison, they have, the FTC will be all over you like white on rice.