Topics:

FTC lawsuit over hotel chain data breach can proceed

April 14, 2014 | By
Tools

The Federal Trade Commission's push to regulate corporate data security survived an attempt in federal court to dismiss a case the agency brought against the Wyndham hotel chain for three data breaches.

The FTC launched in 2012 a civil suit against Wyndham Worldwide Corp. after hackers penetrated its network in separate incidents in 2008 through early 2010 – incidents the FTC says resulted in the compromise of more than 619,000 consumer payment card numbers and more than $10.6 million in fraud losses.

The suit cites existing FTC authority prohibiting "unfair and deceptive acts or practices" as its basis, language that comes from the 1914 statute creating the agency.

Judge Esther Salas of the U.S. district court for New Jersey in an April 7 opinion (pdf) rejected an argument from Wyndham attorneys that the FTC exceeded its authority by not first formally promulgating regulations pertaining to data security.

Salas takes pains to note that her opinion isn't a decision about liability and says she is not giving "the FTC a blank check to sustain a lawsuit against every business that has been hacked."

Nonetheless, precedent establishes that the FTC need not necessarily formally publish rules and regulations before launching an enforcement action, the judge writes. Congress in 1914 considered, and rejected, the notion that it should list the particular unfair practices the FTC has power over, leaving the agency with broad discretionary authority.

She also rejects a Wyndham argument that the FTC failed to meet a threshold for bringing a lawsuit, that the unfair practice cause (or be likely to cause) substantial injury not reasonably avoidable by consumers.

The FTC says Wyndham put their guests' data at risk by – among other things – failing to patch their servers, not encrypting payment card numbers, leaving default user ID and passwords logons active on servers, letting users logon to the Wyndham network with easy-to-guess passwords, and not firewalling its system.

At the same time, Wyndham disseminated privacy statements assuring consumers that they safeguarded the privacy and confidentiality of their data.

Salas says she's unconvinced that the FTC is under an obligation to specifically show where Wyndham made a misleading representation, as hotel attorneys argue, but that even if not, the agency has shown with specificity where the hotel chain did make detailed claims.

In fact, evidence of Wyndham assertions regarding its data safeguarding places the hotel in the incongruous position of simultaneously asserting that the FTC must first issue regulations before suing over data breaches but that the agency can't challenge as deceptive the representations the private sector makes today about data protection.

For more:
- download Salas' April 7 opinion
- go to the FTC press release announcing the lawsuit

Related Articles:
Sharing cyber threat data doesn't violate anti-trust law 
FTC official: Agency needs more tools against private sector data breaches 
FTC slaps wrists of 12 U.S. companies for violating U.S.-EU Safe Harbor Agreement

Filed Under
, , , ,
Press Releases