Wyndham Fires Back At FTC In Cybersecurity Battle

Allegations that Wyndham Hotels failed to take “reasonable” cybersecurity measures don't support the Federal Trade Commission's position that the hotel chain engaged in an unfair business practice, Wyndham argues in papers filed this week with the 3rd Circuit Court of Appeals.

Wyndham is asking the appellate court to throw out charges that the hotel chain engaged in an unfair business practice by failing to encrypt credit-card data, deploy firewalls and use other “reasonable” security measures.

“There are few more pressing issues confronting American society than cybersecurity,” the hotel chain argues in papers filed this week with the 3rd Circuit Court of Appeals. “For the Commission to give American businesses, large and small, no more guidance than a simple command to act 'reasonably' -- on pain of administrative prosecution and sanctions -- is to make a mockery of basic constitutional norms of fair notice.”

The closely watched battle between Wyndham and the FTC stems from three separate security breaches suffered by Wyndham between 2008 and 2010. The FTC sued the hotel chain in 2012, alleging that it failed to honor its privacy policy and also engaged in unfair business practices.

Earlier this year, U.S. District Court Judge Esther Salas in New Jersey rejected Wyndham's request to dismiss the charges. Wyndham is now asking the appellate court to reverse Salas' ruling. The company, which argues that it's a crime victim, characterizes the FTC's lawsuit as an attempt to impose security requirements retroactively.

The FTC counters in papers filed last month that its 2007 Business Guides — combined with cases against other companies that suffered data breaches — offered “extensive guidance” about the types of cybersecurity measures the FTC expects companies to deploy.

Wyndham this week fired back at the FTC, arguing that the agency can't “meet its fair-notice obligations ... merely by telling businesses to 'act reasonably,' and then evaluating after-the-fact whether that indeterminate standard was satisfied.”

The hotel chain also argues that prior FTC consent decrees don't provide companies like itself with adequate notice of the FTC's expectations.

Consent decrees “are settlements, and — like most settlements — often involve pragmatic business decisions to avoid protracted litigation, not admissions of liability,” Wyndham argues. The company adds that many of the cybersecurity consent decrees “include explicit denials of wrongdoing.”

In the last three years, the FTC has brought dozens of enforcement actions against companies that allegedly violated consumers' privacy or mishandled their data. Unlike Wyndham, most of the companies settled with the FTC.

The battle between the FTC and Wyndham has drawn interest by a host of outside groups, including the U.S. Chamber of Commerce, which sides with Wyndham, and consumer advocacy organizations (which are backing the FTC).

Next story loading loading..