Wyndham lawsuit tests FTC's data security enforcement authority

Federal judge in N.J. this week let Chamber of Commerce and others file motion to dismiss suit

A federal court judge in New Jersey on Wednesday agreed to allow the U.S. Chamber of Commerce and several other organizations to seek the dismissal of a closely watched data breach lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp.

The groups accused the FTC of holding breached entities like Wyndham to unfair and arbitrary standards and alleged that the FTC is forcing businesses into lengthy data breach settlements and imposing costly fines for violating security standards the agency hasn't even formally promulgated.

In addition to the Chamber of Commerce, others who want the suit dismissed include the TechFreedom, the American Hotel and Lodging Association, National Federation of Independent Businesses and the International Franchise Association.

The amicus briefs, prepared months ago, are related to a data breach lawsuit filed by the FTC against Wyndham and three subsidiaries in June 2012.

The lawsuit alleged that the hotel operator suffered three major data breaches in two years because it had failed to implement reasonable information security measures. The breaches resulted in hundreds of thousands of credit and debit cards being compromised and more than $10.6 million in fraud losses.

The FTC accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was \ adequately protected when, in fact, it was not.

Many see the case as a landmark test of the FTCs authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this Section 5 authority to force numerous settlements, or "consent decrees," from companies that suffered data breaches.

In previous cases, the FTC accused the breached entity of engaging in unfair and deceptive trade practices for promising to protect consumer data in their privacy notices, but then failing to do so. Some of the consent decrees have involved considerable fines, lengthy periods of monitoring and third-party security audits.

In 2006 for example, the FTC imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. over a data breach that compromised over 180,000 credit and debit cards. As part of its agreement, ChoicePoint was also required to submit to comprehensive security audits every two years for the next 20 years.

In 2012, online gaming firmRockYou agreed to pay a $250,000 fine and submit to third-party audits for 20 years as part of an FTC settlement over a data breach.

The Wyndham lawsuit marks the first time the FTC has had to go to a federal court because a breached entity refused to settle.

In their legal briefs, the Chamber of Commerce and the others accused the agency of routinely punishing businesses for failing to have reasonable security standards without ever specifying what exactly it considers as a reasonable standard. They also questioned the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act.

"Nothing in Section 5 suggests that Congress intended to give the FTC the authority to regulate data security" the Chamber of Commerce said in its 25-page motion to dismiss.

That motion noted that the FTC's data security enforcement actions harken back to its overzealous use of the unfair and deceptive practices provisions to pursue other perceived business misdeeds in the past. The agency's past enforcement excesses using Section 5 led to Congress imposing restrictions on its authority in 1994, the Chamber argued.

"Despite these acknowledged statutory constraints, carefully calibrated by Congress in response to years of agency overreaching, the FTC again is attempting to use Section5 inappropriately," the Chamber said.

Berin Szoka, president of TechFreedom, said the case is important because it's the first time since the FTC began its data breach enforcement actions nine years ago that any company had challenged its enforcement authority.

All of the 41 companies hit with FTC lawsuits so far have quietly acquiesced to its settlement terms for fear of attracting more attention and trouble, Szoka said. When confronted with the choice of settling a case or going through a long and potentially costly investigative and discovery process, companies tended to choose the former, he noted.

"The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law," he said. Even so, it has not established any such law through its enforcement actions, he said.

"Here, all you have to go on are these 41 enforcement actions where the FTC has convinced companies to settle out of court with no adjudication. The courts have never signed off and said we think this is the proper interpretation," Szoka said.

As a result, companies have little information to guide them on what exactly constitutes reasonable care, deception and unfair practices in the FTC's eyes, he said.

Chris Hoofnagle, director of information privacy programs at the University of California Berkeley Center for Law & Technology, described the dismissal efforts as a "Hail Mary effort to stop the FTC from enforcing its unfairness power.

"For decades, long before the FTC became involved in privacy, business groups have tried to cabin the FTC so that it can only enforce wrongs that were addressable by the common law," Hoofnagle said in emailed comments to Computerworld.

In an amicus brief supporting the FTC's position, Hoofnagle noted that the agency's enforcement actions have served as the only effective means of holding companies accountable for failing to protect data entrusted to them by consumers.

Although consumers can suffer substantial harm from a data breach, federal courts have been reluctant to recognize private tort action against breached entities. So the FTC enforcement actions have been the primary protection for consumers, he said.

"Congress, in creating the FTC and in empowering it to police unfair and deceptive trade practices, explicitly gave the agency power to determine what is unfair and deceptive." Trying to make the FTC an entity that can only enforce common law defeats the purpose for which it was created, Hoofnagle said. "[It] raises a basic question: Why have the FTC at all?"

FTC officials could not be reached immediately for comment on the case.

This article, Wyndham lawsuit tests FTCs data security enforcement authority, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at Twitter @jaivijayan or subscribe to Jaikumar's RSS feed Vijayan RSS. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Join the CSO newsletter!

Error: Please check your email address.

Tags Federal Trade CommissionWyndham Worldwide Corp.securitydata breach

More about Federal Trade CommissionFTCTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts