In 2012, the Federal Trade Commission (FTC) filed suit against Wyndham Hotels and its subsidiaries, alleging Wyndham’s failure to prevent a series of cybersecurity breaches resulting in the export of the credit card data of hundreds of thousands of consumers to Russia and at least $10.6 million in fraudulent charges constituted unfair and deceptive practices. But if the FTC loses the coming court case, it could signal the end of the only effective program the federal government has to compel private companies to properly secure data they collect about consumers.
The FTC has regularly assumed an enforcement role on consumer interests in cybersecurity matters, citing its authority to investigate deceptive and unfair practices under Title 5 of the FTC Act, but investigations have routinely ended in settlements or agreements to improve cybersecurity practices. In 2010, Twitter agreed to implement a comprehensive data security plan as part of an FTC settlement and was barred from misleading consumers about their ability to protect the privacy of personal information after “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter,” including the ability to see private messages and post phony tweets. Google agreed to pay a $22.5 million fine in 2012 after violating a previous FTC settlement by misrepresenting privacy practices to users of Apple’s Safari browser.
The Wyndham case represents the first time such an investigation will go to court and a judge will have the opportunity to weigh in on the scope of the FTC’s ability to protect consumer interests in the cybersecurity space.
The FTC alleged the first Wyndham breach occurred in April 2008 as a result of a brute force attack where hackers guessed passwords, made easier by some pretty obvious oversights “including the failure to erect firewalls, use appropriate passwords or configure software to keep credit card information secure.” But even after the first breach, the FTC alleges Wyndham failed to remedy known security vulnerabilities or implement appropriate response procedures. As a result, the FTC says, hackers were able to use similar techniques to compromise systems two more times in 2009.
Wyndham argues in legal filings that it worked with law enforcement agencies, took remedial measures to address the breaches, and no hotel guest suffered financial injury to the best of its knowledge, even though they were alerted to the later 2009 breach by credit card companies that noticed fraudulent charges appearing shortly after consumers stayed in Wyndham hotels.
But more importantly, Wyndham has asked the case be dismissed on the grounds that the FTC doesn’t have the oversight to punish companies for inadequate information security practices. Filings cite the existence of other more specific data laws, as well as an FTC report from 2000 where Wyndham’s lawyers say the agency acknowledged that “it lacked authority to require firms to adopt specific data-security practices” as evidence that the FTC doesn’t have the ability to pursue enforcement in this area. The U.S. Chamber filed an amicus brief agreeing with that position, saying that FTC’s actions amounted to punishing businesses that are the victims of criminal hacking.
Despite the economic and privacy risks represented by data breaches — like, say, identity theft or credit card fraud — Congress has been unable to agree on an approach to mitigating the threat, resulting in no one agency being specifically tasked with enforcing any level of cybersecurity standards on the private sector. But the FTC has stepped up to the plate and applied their general agency mandate to those risks associated with current data collection practices.
That’s why if Wyndham succeeds in getting the case dismissed, they will have not only escaped accountability for allegedly lax data security practices — they may effectively leave Americans without anyone watching their digital backs.