Digital Transactions Authoritative, insightful and timely information for payments professionals
A formerly obscure lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp. and three subsidiaries in the wake of three data breaches at the hotel chain has become the flashpoint of a growing debate about the lack of a federal law governing data security on the Internet and what, if anything, agencies such as the FTC should be doing to fill the void.
“I think there are going to be a lot of people watching this,” says Julie Conroy, a research director at Boston-based Aite Group LLC. “It underscores the fact that we don’t have a federal cybersecurity [law].”
The case is drawing attention in the legal press and from business groups and consumer interests ahead of a June 17 hearing in U.S. District Court in Newark, N.J., on Wyndham’s motion to dismiss the case. The FTC, which says the breaches compromised more than half a million payment card accounts and led to $10.6 million in fraud losses, is seeking damages and an injunction to prevent Wyndham from future conduct that would violate the Federal Trade Commission Act.
Congress has not given the FTC specific authority to oversee Internet data security. The consumer-protection agency’s case against Wyndham is based in part on Wyndham’s alleged failure to live up to its own promises to customers that it made about privacy and data security.
“In its complaint, the FTC alleges that Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information, and that its failure to safeguard personal information caused substantial consumer injury,” the FTC said in a June 2012 news release announcing the lawsuit. “The agency charged that the security practices were unfair and deceptive and violated the FTC Act.”
But Parsippany, N.J.-based Wyndham and its allies say the FTC is overstepping its authority. “This is an unprecedented lawsuit with far-reaching implications,” Wyndham’s lawyers say in the introduction to their 29-page motion for dismissal. “For the first time ever, the FTC is asking a federal court to hold that Section 5 of the FTC Act—a 1914 statute that prohibits ‘unfair and deceptive acts or practices’—authorizes the Commission to regulate the sophisticated technologies that businesses use to protect sensitive consumer information.”
In a friend-of-the-court brief supporting Wyndham, the U.S. Chamber of Commerce, the Retail Litigation Center, the American Hotel & Lodging Association, and the National Federation of Independent Business say the FTC has published a series of consent orders settling charges against businesses for allegedly failing to take adequate measures to prevent unauthorized access to personal data.
“This piecemeal ‘regulation by consent order’ has enabled the FTC to impose unilaterally its evolving policy choices on businesses without the oversight of the legislative branch, without participation of the corporate community and other interested stakeholders, and without judicial review,” the brief says.
But Aite’s Conroy says “the approach they [the FTC] are taking is interesting and I think defendable. They’re going after the legal aspects saying, ‘your privacy policy says you have data security, and you don’t.’”
The first Wyndham breach happened in April 2008, when intruders gained access to the local computer network of a Wyndham-branded hotel in Phoenix that was connected to the Internet. The FTC alleges that because of Wyndham’s inadequate security procedures, the breach gave the intruders access to the corporate network of Wyndham’s Hotels and Resorts subsidiary and the property-management servers of 41 Wyndham-branded hotels. The intruders were then able to install “memory-scraping” malware on numerous Wyndham-branded hotels\' servers and gained access to files that contained payment card account information for “large numbers” of consumers, which was improperly stored in clear text, the FTC alleges.
Ultimately, the breach compromised more than 500,000 payment card accounts and facilitated the export of hundreds of thousands of those account numbers to a domain registered in Russia, according to the FTC.
Wyndham also failed in its remedial efforts, which led to two more breaches in 2009, the FTC alleges. The first, in March, compromised more than 50,000 payment card accounts from guests who had stayed at 39 Wyndham-branded hotels, while the second compromised 69,000 card accounts from visitors to 28 hotels.
Congress in the past several years has considered but failed to pass cybersecurity bills, partly because of concerns about how much access to private data such a law might give to government. Still, with technology rapidly evolving and a patchwork of state laws developing, the case is strong for a federal law, says Aite’s Conroy. “The ideal is to have some sort of comprehensive cybersecurity law at the federal level,” she says. “It would make clear who the regulator is.”
Regarding credit and debit card security, Conroy also notes that the industry-developed Payment Card data-security standard (PCI) addresses card data but does nothing to change the widespread reliance on user names and passwords, authentication protocols used to protect numerous types of data. In a March research report, Aite noted that merchants it interviewed reported that their losses from account takeovers, which involve fraudsters obtaining unauthorized access to user names and passwords, in 2012 began to overtake their losses from stolen credit and debit cards.
