Let's say I run a successful daycare facility. It boasts numerous educational services to enhance your children's ongoing development while you're slaving away at your day jobs.
Then, disaster strikes. Ruthless kidnappers enter my building to cart off a toddler or two to sell to baby brokers working the underground adoption market. We all know that if the child captors and other criminals are found they'll be arrested and jailed.
But what about the daycare owner to whom you entrusted your children? Further inspection reveals that my physical security defenses were weak. Sure, I had locks on doors, but neither did I engage them nor did I encourage my staff to do so. I also didn't enlist more industry-standard access control mechanisms, such as PIN or proximity badge systems. It's far from shocking when my business goes bust, I'm charged with criminal negligence, and former clients launch civil lawsuits against me, right?
So why is it that Wyndham Hotels and Resorts is deeming itself “singled out” by the Federal Trade Commission (FTC) after the government agency filed a lawsuit against it when more than $10 million in fraudulent purchases were made using the stolen credit card numbers of the hotel's customers? Is the company not culpable for failing to enlist industry standards and implement security practices and tools to protect customer accounts? After all, they allegedly were not hit once by data thieves but THREE times in less than two years.
Now, my example of a bunch of babies being taken from a shoddily secured daycare facility might be a little extreme. However, just as the victims in that instance would expect all blameworthy parties to be brought to justice, so too would Wyndham customers want to see justice served when their data is stolen.
Enter the FTC, which alleges that the company and three of its subsidiaries sidestepped acceptable data security that then led to three data breaches that then begot “fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an internet domain address registered in Russia,” according to a June FTC press release. In late August, Wyndham filed a motion to dismiss the FTC complaint, saying it has been “singled out” by the government watchdog in “unprecedented regulation.” Some of the logic behind this claim is that since the FTC hasn't published any specific rules or regulations to provide businesses with insight on what security precautions they can take to avoid a breach, they're simply blameless because of their ignorance.
Really? So despite other industry regulations and compliance mandates, news about data breaches hitting virtually every day, and the multiple breaches to which Wyndham itself fell victim, company execs just had no idea they needed to act as trustworthy shepherds of their customers' data?
The FTC has settled with countless other organizations for lesser but still unacceptable security offenses, making the accusation of Wyndham being singled out a stretch. So, too, is the assertion that Wyndham execs need a precise FTC rule to take appropriate steps before a breach happens. But, then again, if that is true – that none of the Wyndham executives knew that industry-wide data security standards are expected to underpin every business today – then maybe they shouldn't be running one.