“Wyndham left customer data unprotected by firewalls; did not encrypt credit card information; used outdated software that could not receive security updates; used widely known default passwords and easily guessed passwords instead of complex passwords .. and failed to employ reasonable measures for detecting and preventing intrusions,” the FTC writes in a brief filed this week with the 3rd Circuit Court of Appeals.
The FTC's papers come in response to Wyndham's request that the appellate court throw out charges stemming from three separate security breaches that occurred between 2008 and 2010.
The hotel chain argues that it's a crime victim, and didn't itself do anything “unfair” to customers. Wyndham also characterizes the FTC's lawsuit as an attempt to impose security requirements retroactively. “The Commission has simply anointed itself a roving cybersecurity prosecutor -- but, unlike other prosecutors, one that seeks to define the offense and to do so after the fact,” Wyndham argues in its appellate papers, which were filed last month.
Earlier this year, U.S. District Court Judge Esther Salas in New Jersey rejected Wyndham's request to dismiss the charges.
That decision should stand, the FTC says in its new court papers. The agency argues that its 2007 Business Guides -- combined with cases against other companies that suffered data breaches -- has “provided extensive guidance” about the types of cybersecurity measures the FTC expects companies to deploy.
The FTC also argues that companies like Wyndham can be liable merely for enabling fraud, even if the company itself hasn't done anything fraudulent. “Wyndham created and controlled a computer network that collected private data, yet it repeatedly failed to take reasonable steps to protect that network against data theft, even after its system was repeatedly breached,” the FTC says.
The agency adds that “unreasonably” poor security by companies like Wyndham can result in “monetary loss, identity theft, and countless hours spent trying to mitigate the damage, among other harms.”
Since 2011, the FTC has brought dozens of enforcement actions against companies that allegedly violated consumers' privacy or mishandled their data. Unlike Wyndham, most of the companies settled with the FTC.
The legal battle, which started when the FTC filed charges against Wyndham in 2012, has drawn interest by a host of outside groups including the U.S. Chamber of Commerce, which sided with Wyndham) and Public Citizen, which backed the FTC.