FTC Privacy Enforcement Power Wins Court Blessing

20 Great Ideas To Steal In 2014

Wyndham Worldwide Corporation and its subsidiaries will have to face the Federal Trade Commission in court after a federal judge on Monday rejected the hospitality company's contention that the FTC lacks the authority to regulate its computer security practices.

Judge Esther Salas, US District Judge for the District of New Jersey, ruled that a lawsuit filed in 2012 by the FTC over alleged security shortcomings at Wyndham and its subsidiaries may proceed.

FTC Chairwoman Edith Ramirez said via Twitter that she was pleased the court had recognized her agency's authority to hold companies accountable for safeguarding consumer data. She added that businesses should take steps to secure sensitive consumer information and warned that the agency will take action to make sure companies do so.

The ruling underscores that US privacy regulation isn't inconsequential. In a recently published paper, Daniel J. Solove, a law professor at George Washington University, and Woodrow Hartzog, an assistant law professor at Samford University, note that despite more than 15 years of FTC privacy enforcement, which has resulted in settlement agreements rather than judicial decisions, "FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in the United States -- more so than nearly any privacy statute or common law tort."

{image 1 }

That doesn't sit well with TechFreedom, a tech industry advocacy group, which questioned whether the FTC's approach aligns with the intent of Congress and whether the agency has too much discretion to challenge companies.

The FTC characterizes its lawsuit as an attempt to ensure that companies live up to the promises they make about privacy and data security, specifically statements made in privacy policies and related online statements.

Wyndham insisted on its website that it safeguarded its customers' personally identifiable information "using standard industry practices." FTC contends the hotel group did something less than that.

Between April 2008 and January 2010, the FTC complaint says, hackers accessed the hotel group's property management systems three separate times. The hackers allegedly used similar techniques each time to access personal information, including payment card numbers, expiration dates, and security codes.

All told, according to the complaint, the breaches resulted in the compromise of more than 619,000 payment card account numbers, the export of many of those account numbers to a Internet domain registered in Russia, fraudulent charges on many customers' accounts, and fraud losses totaling more than $10.6 million.

The FTC claims that Wyndham "failed to provide reasonable and appropriate security for the personal information collected and maintained by [the company and its subsidiaries]."

Wyndham Worldwide continued to express confidence in its position.

"It is important to note that the Court made no decision on liability today," Wyndham Worldwide spokesman Michael Valentino said in an emailed statement. "We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. We intend to defend our position vigorously."

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.