• by Wendy Davis  @wendyndavis, November 13, 2014

Consumer watchdogs are urging an appellate court to allow the Federal Trade Commission to proceed with a lawsuit against Wyndham Hotels for allegedly failing to safeguard consumers' data.

“When consumers transact business online, they entrust sensitive information -- financial, medical, and other personal data, such as birthdates and even Social Security numbers -- to the companies with which they do business,” Public Citizen, the Center for Digital Democracy and Consumer Action say in a friend-of-the-court brief filed on Wednesday with the Third Circuit Court of Appeals. “FTC enforcement actions ... against companies that fail reasonably to protect their consumers’ information from misappropriation are currently the only effective means of redressing the unfair corporate practices that lead to corporate data breaches.”

The groups are asking the appellate court to allow the FTC to proceed with its lawsuit against Wyndham.

The litigation grows out of three cyberattacks on Wyndham that occurred between 2008 and 2010. The FTC alleged in a 2012 lawsuit that Wyndham engaged in an unfair business practice by failing to take adequate cybersecurity measures -- such as using firewalls and encrypting credit card information.

The company is now appealing a ruling issued earlier this year by U.S. District Court Judge Esther Salas in New Jersey, who rejected Wyndham's request to dismiss the charges.

Wyndham argues in its latest court papers, filed last month, that it's the victim in this case, and shouldn't now face charges due to the actions of criminals.

But the watchdogs say that hotel chain's victimization by hackers is irrelevant to whether the FTC can pursue an enforcement action. Public Citizen and the other groups add that the hackers weren't aiming to steal Wyndham's property, but data belonging to consumers. “In the case of burglary or robbery of a business, thieves target the business’s own property for damage or theft. But as the recent spate of corporate data breaches has demonstrated, with regard to data security, thieves do not seek business information, but consumer information,” the groups write.

The organizations add that data breaches can harm consumers, regardless of whether hackers obtain credit card or bank account information. “Even data breaches where only names and email addresses are stolen can be harmful, as the information may be used to probe for more data on those consumers, thus increasing the likelihood that the consumers will be targeted for a phishing scheme that may lead to identity fraud,” Public Citizen and the others write.

The Center for Digital Democracy, which joined in the friend-of-the-court brief, is known for arguing that consumers need stronger online privacy protections from marketers who want to mine data in order to serve targeted ads. The organization now says in its court papers that the FTC's oversight of online privacy and data security are “linked issues that must be upheld for the protection of American consumers who increasingly use technology to navigate their lives.”

Since 2011, the FTC has charged dozens of companies with acting unfairly by violating consumers' privacy or mishandling their data. In one example, last December the FTC brought charges against the developer of the Brightest Flashlight app, which allegedly transmitted consumers' geolocation data and unique device identifiers to ad networks. Most of the companies facing privacy or security charges settled with the agency.