The FTC sued Wyndham in 2012, accusing it of not safeguarding customer data. Fraudulent charges on accounts led to more than $10.6 million in losses. A spokesman said the Parsippany, New Jersey-based company is reviewing the decision. The ruling more widely cements the agency’s power to regulate and fine firms that lose consumer data to hackers, if the companies engaged in what the FTC deems “unfair” or “deceptive” business practices.
Advertisement
The FTC alleges that Wyndham made avoidable security errors, such as storing customers’ information in clear-text, using easily guessed passwords for administrators, and not setting up a firewall on the hotel management system and the corporate network. The ruling, from the United States Court of Appeals for the Third Circuit, came as part of a lawsuit between the FTC and Wyndham Worldwide Corporation, which manages a collection of hotels throughout the US. “This a huge victory for the FTC, but also for American consumers”, says Butler, who filed an amicus brief defending the FTC’s authority earlier in the case.
On Monday, a federal appeals court ruled that the Federal Trade Commission (FTC) has the power to take action (PDF) against companies that employ poor IT security practices. The FTC asserts that, due to Wyndham’s “failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months'”.
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information”, said FTC Chairwoman Edith Ramirez in a statement.
Wyndham had specifically challenged that “unfair” claim, arguing that it hadn’t actually engaged in the “unscrupulous or unethical behavior” that it said the FTC’s standard requires. The court called that argument alarmist to say the least.
Between 2008 and 2009, hackers broke into Wyndham’s system and sniped credit card and personal info from some 619,000 customers. But the appellate court wasn’t persuaded; It ruled that the alleged mismatches between its data protection and its privacy policy were sufficient to meet that “unfair” standard, without any accusations of “unethical” behavior necessary.
Advertisement
Absent congressional regulation, the agency has brought more than 50 data security cases, most of which have resulted in settlement.
