Earlier this month, a Federal District Court judge ruled that the Federal Trade Commission has the authority to enforce and punish companies that fail to “remedy unreasonable data security practices.” The ruling originated through a lawsuit filed by the Federal Trade Commission against Wyndham Hotels when they sought to bring enforcement action against the hotel company for failing to have adequate data security practices in place. That failure resulted in multiple breaches of data between 2008 and 2010. Wyndham sought to have the case dismissed based on the grounds that the Federal Trade Commission did not have the authority to regulate because the FTC Act named specific industries which, by default, limited their regulatory authority to those industries. The court rejected that argument and is allowing the case to move forward.

Why is this important?

The FTC Act was designed to protect consumers from “unfair competition [as well as]… deceptive acts or practices in or affecting commerce.” The FTC was seeking to administer enforcement actions through the unfairness prong of that act. The court held that “subsequent data security legislation ‘seems to complement – not preclude – the FTC’s authority.” With this statement, the court essentially admits to expecting to see security data legislation in the future.

“Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers,” said FTC Chairwoman Edith Ramirez. In response to the ruling, she noted that the decision affirmed the FTC’s authority “to hold companies accountable for safeguarding consumer data.”

This ruling has far-reaching effects in that a precedent has been set, authorizing the FTC to act upon the behalf of consumers to monitor and enact penalties against companies who do not make reasonable efforts and have in place practices that protect consumer data. The responsibility for data security rests solely on the business with which the consumer entrusts his or her information. The crux of the suit was that “the differences between promises Wyndham made in its privacy policy and the company’s actual data security practices were sufficient to support a deceptive claim under the FTC Act.”

In the automotive industry, compliance has become increasingly complex in its intricacies and many dealerships hire outside companies to audit their practices to ensure that they are compliant in all ways necessary, whether that’s consumer information and records kept on hand or through appropriate advertising. A single ruling by a Federal judge just added another layer of complexity to those compliance rules and should put all automotive dealers and managers on high alert that it is imperative that they not only know how they are protecting their customer’s data in their store, but also everywhere that data goes.