Professional Community for Automotive Marketers, Car Dealers, OEM and Suppliers
Earlier this month, a Federal District Court judge ruled that the Federal Trade Commission has the authority to enforce and punish companies that fail to “remedy unreasonable data security practices.” The ruling originated through a lawsuit filed by the Federal Trade Commission against Wyndham Hotels when they sought to bring enforcement action against the hotel company for failing to have adequate data security practices in place. That failure resulted in multiple breaches of data between 2008 and 2010. Wyndham sought to have the case dismissed based on the grounds that the Federal Trade Commission did not have the authority to regulate because the FTC Act named specific industries which, by default, limited their regulatory authority to those industries. The court rejected that argument and is allowing the case to move forward.
Why is this important?
The FTC Act was designed to protect consumers from “unfair competition [as well as]… deceptive acts or practices in or affecting commerce.” The FTC was seeking to administer enforcement actions through the unfairness prong of that act. The court held that “subsequent data security legislation ‘seems to complement – not preclude – the FTC’s authority.” With this statement, the court essentially admits to expecting to see security data legislation in the future.
“Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers,” said FTC Chairwoman Edith Ramirez. In response to the ruling, she noted that the decision affirmed the FTC’s authority “to hold companies accountable for safeguarding consumer data.”
In the automotive industry, compliance has become increasingly complex in its intricacies and many dealerships hire outside companies to audit their practices to ensure that they are compliant in all ways necessary, whether that’s consumer information and records kept on hand or through appropriate advertising. A single ruling by a Federal judge just added another layer of complexity to those compliance rules and should put all automotive dealers and managers on high alert that it is imperative that they not only know how they are protecting their customer’s data in their store, but also everywhere that data goes.