Has the FTC Met Its Match?

Pirate Flag and Computer MouseCompanies across the Country should be following the Federal Trade Commission’s (“FTC”) civil suit brought against Wyndham Worldwide Corporation and Wyndham Hotels and Resorts, LLC (“Wyndham”) entitled Federal Trade Commission v. Wyndham Worldwide Corporation, et al. as the outcome of this case may significantly impact the FTC’s ability to regulate U.S. companies with regard to cyber security.

In June 2012, the FTC filed a complaint in the U.S. District Court for the District of Arizona against Wyndham. The action arises from multiple cyber security breaches of Wyndham’s computer network purportedly occurring from 2008 to 2010 and resulting in an alleged loss of $10.6 million dollars to Wyndham customers. The FTC seeks an injunction against Wyndham claiming that it has the legal authority to do so pursuant to 15 U.S.C. § 45(a), which allows the FTC to police U.S. corporations for purposes of preventing “unfair competition and deceptive acts or practices in or affecting commerce.”

The sum and substance of the FTC’s claims against Wyndham is that it gave “deceptive statements” to its customers through Wyndham’s customer reservations website. These deceptive statements were reportedly contained in Wyndham’s internet privacy policy, which assured Wyndham’s customers that it was concerned about protecting customer information and did so by “using standard industry practices.” Despite these purported representations, the FTC claims that Wyndham failed to utilize general and well-accepted cyber security measures and as a result, Russian cyber-criminals were able to infiltrate the Wyndham computer network and steal its customers’ personal financial information, such as credit card numbers.

In addition to being deceptive, the FTC claims that Wyndham’s alleged “failure to implement reasonable and appropriate security measures” necessary to sufficiently secure its customer information equates to “unfair acts” because Wyndham’s actions, or failure to act,

“caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves…”

At first blush, the FTC’s action against Wyndham appears to be nothing new. Since 2000, the FTC has brought over 40 such cases against U.S. companies for purported failures to sufficiently safeguard personal identifying information. However, the majority of these cases resulted in a settlement between the FTC and its target. In this case, however, Wyndham is attempting to turn-the-table on the FTC, arguing that, in reality, it is FTC’s reliance on 15 U.S.C. § 45(a) to enforce unspecified data security standards that is inherently illegal and unfair. More specifically, Wyndham argues that the FTC does not have Congressional authority to “establish data-security standards for the private sector and enforce those standards in federal court.” In addition to its lack of legal authority, Wyndham argues that any attempt by the FTC to enforce data security standards is fundamentally unfair because the FTC lacks the requisite “expertise in either the policy or technology of data-security issues” to do so, and just as critical, has never published any specific standards for U.S. businesses to follow.

What ever the outcome of this case, the stakes are high. As Congress struggles with cybersecurity legislation, the FTC is currently the top-cop when it comes to cybersecurity regulations. As such, all companies gathering either customer or employee personal identifying information should all be keeping a close eye on this litigation.

This entry was posted in Corporate Data Policies and tagged , , , . Bookmark the permalink.

Leave a Reply