A federal judge has sided with the Federal Trade Commission in a high-profile dispute with Wyndham Hotels about its security practices.
U.S. District Court Judge Esther Salas in New Jersey ruled
today that the FTC can proceed with a case against Wyndham, which suffered data breaches on three occasions between 2008 and 2010. The FTC alleged that Wyndham violated its privacy policy, which
promised to use “industry standard practices” to keep customers' information secure. The agency also alleged that Wyndham engaged in unfair practices by failing to take reasonable security
measures -- like using firewalls, and requiring encryption of credit card data.
Wyndham asked Salas to dismiss the case, arguing that the FTC lacks authority to charge companies with unfair
data security practices. The hotel chain specifically contended that the agency hadn't issued data-security regulations, which would have given companies advance notice of the standards the FTC
expected them to follow.
Salas rejected Wyndham's arguments today, ruling that the FTC has the flexibility to charge Wyndham with unfairness regardless of whether the agency promulgated
cybersecurity regulations. She said in the ruling accepting Wyndham's theory would lead to an “untenable consequence” -- that the FTC “would have to cease bringing all
unfairness actions without first proscribing particularized prohibitions.”
At the same time, Salas wrote that her ruling doesn't “give the FTC a blank check to sustain a lawsuit
against every business that has been hacked.”
Some commentators previously said that a ruling against Wyndham was
likely to result in more FTC cybersecurity cases, while a ruling siding against Wyndham would have ended the FTC's ability to police poor security. The closely watched case drew friend-of-the-court
briefs from a variety of groups, including the U.S. Chamber of Commerce (which sided with Wyndham) and advocacy organization Public Citizen (which supported the FTC.)