Breach, Data Security

Wyndham Hotels court battle over FTC data security authority heats up again

The Federal Trade Commission (FTC) has filed fresh documents asking a U.S. District Court in New Jersey to reject a hotel chain's motion to dismiss a complaint filed against it following multiple data breaches.

In papers filed May 20 in federal court in Newark, the FTC asked that Judge Esther Salas toss the motion, which was entered in late April by Wyndham Hotels and Resorts (WHR).

"Wyndham compares itself [in its motion to dismiss] to a 'local furniture store' that was robbed, and protests that the FTC is re-victimizing it with this suit," according to the FTC filing. "A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers' credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information." 

The Parsippany, N.J.-based Wyndham, one of the world's largest hospitality companies, is objecting to the FTC's reliance in this case on its right to enforce "unfair or deceptive acts or practices" related to data security.

"WHR, unlike the consumers in this case, lost millions of dollars and suffered significant reputational harm when cybercriminals attacked its network," according to its motion to dismiss, filed April 26. "Yet the FTC wants to turn a statute designed to protect consumers from unscrupulous businessmen into a tool to punish businesses victimized by criminals."

The outcome of the case, whose proceedings recently were transferred from Phoenix to Newark, could decide whether the FTC can continue to punish companies that have been breached.

While the FTC is not empowered or designated by the U.S. government to regulate cyber security, it justifies its actions in its capacity as a consumer protection agency. It already has brought dozens of cases against organizations, like Twitter and HTC, alleging failure to safeguard customer information and protect their privacy.

"The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers' information such that hackers were able to steal it," according to court documents.

According to the FTC, the offenses of this case began when Russian hackers breached Wyndham's Phoenix data center in 2008 and stole the financial information of customers, leading to two subsequent breaches in a two-year period.

The FTC filed a lawsuit against Wyndham roughly a year ago, claiming that more than $10 million in fraudulent purchases were made with hundreds of thousands of credit card numbers belonging to customers.

Legal experts are eagerly anticipating the judge's ruling, set to come June 17. Paul Rosenzweig, founder of Red Branch Consulting and former deputy assistant secretary for policy in the Department of Homeland Security, said that without any comprehensive cyber security legislation in place, the FTC has provided the "only effective method for cyber security regulation by the government."

"If, in the end, it turns out that the FTC lacks the authority it has been asserting then…well, then the government will be without any real authority to compel cyber security improvements," he wrote in a Wednesday blog post. "Some will see that as a victory; others as a defeat – but either way it will be quite important."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.