Wyndham Hotels and Resorts has filed a motion in U.S. District Court in Phoenix to dismiss a complaint launched by the Federal Trade Commission (FTC) over the chain’s repeated security breaches.
According to the FTC, the offenses began when Russian hackers breached Wyndham’s Phoenix data center in 2008 and stole the financial information of customers, leading to two subsequent breaches in a two-year period.
The FTC filed a lawsuit against Wyndham in June, claiming that more than $10 million in fraudulent purchases were made with hundreds of thousands of credit card numbers belonging to customers.
In response, Parsippany, N.J.-based Wyndham moved to dismiss the complaint on Aug. 27, saying in its filing that the FTC “singled out” Wyndham in “unprecedented litigation.”
“Indeed, the FTC’s approach to data security regulation in this very case only confirms that the commission has neither the expertise nor the statutory authority to establish data security standards for the private sector,” the motion said. “The FTC has not published any rules or regulations that might provide the business community with ex ante [beforehand] notice of what data security protections a company must employ to be in compliance with the law.”
The FTC has contended that Wyndham, which operates 7,200 hotels and 93,000 vacation properties worldwide, and its three subsidiaries — Wyndham Hotel Group, Wyndham Hotels and Resorts, LLC, Wyndham Hotel Management — “misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information and that its failure to safeguard personal information caused substantial consumer injury.”
It sued the major hotel chain for alleged violations under the FTC Act.
Legal experts said this case may be the first time the FTC has ever had to litigate its data security allegations. In the past, it’s settled with major companies, like Google and RockYou, over privacy violations and breaches.
On Tuesday, Chester Wisniewski, a senior security adviser at Sophos, told SCMagazine.com that federally mandated guidelines for data security may not exist in the United States, but that does not exempt companies from being held accountable for major missteps.
He said that if the FTC’s claims against Wyndham were true, the hotel company was “definitely negligent.”
“There is no clearly defined legal standard, so what the FTC has to fall back on is industry standard best practices,” Wisniewski said. “For instance, we take different precautions when we are handling customers’ personal information than when we are putting up a print server – something that clearly isn’t sensitive.”