Breach, Data Security, Network Security, Security Strategy, Plan, Budget

Chamber backs hotel chain in motion to toss FTC case

The law firm of the U.S. Chamber of Commerce has filed an amicus brief in Arizona, asking a U.S. District Court to accept a motion filed by Wyndham Hotels and Resorts that would dismiss a complaint launched by the Federal Trade Commission (FTC) over the hotel chain's repeated security breaches. 

The outcome of the case could decide whether the FTC can continue to punish companies that have been breached. The agency already has brought dozens of cases against organizations that allegedly failed to safeguard customer information and protect their privacy.

According to the FTC, the offenses of this case began when Russian hackers breached Wyndham's Phoenix data center in 2008 and stole the financial information of customers, leading to two subsequent breaches in a two-year period.

The FTC filed a lawsuit against Wyndham in June, claiming that more than $10 million in fraudulent purchases were made with hundreds of thousands of credit card numbers belonging to customers.

In response, Parsippany, N.J.-based Wyndham, one of the world's largest hospitality companies, moved to dismiss the complaint on Aug. 27, saying in its filing that the FTC “singled out” Wyndham in “unprecedented litigation.”

Now, the U.S. Chamber has run to the side of Wyndham, arguing in the brief that Wyndham and a number of other companies are being subjected to regulations governing "unfair" business practices, but they offer no expectation of how to comply with them.

"[The] amicus brief explains that over the last several years, the FTC has routinely punished businesses who are themselves hacking victims for allegedly failing to have “reasonable” data security measures in place – only there's no way for a business to truly know beforehand what the FTC will consider “reasonable” measure until after it's been hacked," according to a the NCLC. "Because FTC has never formally promulgated any data security standards, a business has no way of knowing whether it's compliant until after it's been hacked, had its data stolen, completed a costly FTC investigation, and an enforcement action has been filed against it."

An FTC spokeswoman did not immediately respond to a request for comment on Thursday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.