Wyndham Hotel's failure to use “reasonable” security measures to prevent hackers from accessing information about consumers constitutes an unfair practice, the Federal Trade Commission
argues in new court papers.
“Wyndham left customer data unprotected by firewalls; did not encrypt credit card information; used outdated software that could not receive security updates;
used widely known default passwords and easily guessed passwords instead of complex passwords .. and failed to employ reasonable measures for detecting and preventing intrusions,” the FTC writes
in a brief filed this week with the 3rd Circuit Court of Appeals.
The FTC's papers come in response to Wyndham's request that the appellate court throw out charges stemming from three separate
security breaches that occurred between 2008 and 2010.
The hotel chain argues that it's a crime victim, and didn't itself do anything “unfair” to customers. Wyndham also
characterizes the FTC's lawsuit as an attempt to impose security requirements retroactively. “The Commission has simply anointed itself a roving cybersecurity prosecutor -- but, unlike other
prosecutors, one that seeks to define the offense and to do so after the fact,” Wyndham argues in its appellate papers, which were filed last month.
Earlier this year, U.S. District
Court Judge Esther Salas in New Jersey rejected Wyndham's request to dismiss the charges.
That decision should stand, the FTC says in its new court papers. The agency argues that its 2007
Business Guides -- combined with cases against other companies that suffered data breaches -- has “provided extensive guidance” about the types of cybersecurity measures the FTC expects
companies to deploy.
The FTC also argues that companies like Wyndham can be liable merely for enabling fraud, even if the company itself hasn't done anything fraudulent. “Wyndham created
and controlled a computer network that collected private data, yet it repeatedly failed to take reasonable steps to protect that network against data theft, even after its system was repeatedly
breached,” the FTC says.
The agency adds that “unreasonably” poor security by companies like Wyndham can result in “monetary loss, identity theft, and countless hours
spent trying to mitigate the damage, among other harms.”
Since 2011, the FTC has brought dozens of enforcement actions against companies that allegedly violated consumers' privacy or
mishandled their data. Unlike Wyndham, most of the companies settled with the FTC.
The legal battle, which started when the FTC filed charges against Wyndham in 2012, has drawn interest by a
host of outside groups including the U.S. Chamber of Commerce, which sided with Wyndham) and Public Citizen, which backed the FTC.