Wyndham Stands up to FTC in Data Breach Case

    Sep 30, 2013

    Hotel operator Wyndham Worldwide Corp. is fighting back in a data breach lawsuit filed by the Federal Trade Commission (FTC) last June against the company and three of its subsidiaries.

    The lawsuit alleged that Wyndham failed to implement reasonable information security measures and consequently experienced three major data breaches in two years. Hundreds of thousands of credit and debit card accounts were ultimately compromised, and there were fraud losses of more than $10.6 million. 

    The FTC accused the hotel operator of unfair trade practices and of deceiving customers into thinking their cardholder data was adequately protected. Other companies facing similar charges have opted to settle with the FTC, accepting fines of as much as $10 million (as in the case of ChoicePoint) and comprehensive bi-annual audits.

    Wyndham has chosen not to go quietly into that good night and instead has questioned the FTC’s authority to sue companies on behalf of consumers for cybersecurity breaches and lax or misleading data security policies. The U.S. Chamber of Commerce and several other organizations joined the battle by seeking permission to file for a dismissal, accusing the FTC of holding breached entities like Wyndham to unfair and arbitrary standards. ComputerWorld reported that the groups also alleged that the FTC is forcing businesses into lengthy data breach settlements and imposing costly fines for violating security standards the agency hasn't even formally promulgated. 

    A federal court judge in New Jersey agreed to allow the groups to file for the dismissal. This is the first time the FTC has had to go to a federal court because a breached entity refused to settle.

    At this point, a variety of opinions exists: the Chamber of Commerce et al. contend that the agency routinely punishes businesses for failing to have reasonable security standards in place, yet it has never specified what constitutes reasonable standards. 

    On the other hand, Chris Hoofnagle, director of information privacy programs at the University of California Berkeley Center for Law & Technology, says that Congress empowered the FTC to hold companies accountable for failing to protect consumers’ data and so has the power to determine what is unfair and deceptive.

    Others call for formal rulemaking to give companies clear guidance regarding security standards. Michelle Cohen, an attorney with Ifrah Law and chair of its e-commerce practice, noted in InsideCounsel that if the FTC went through formal rulemaking proceedings, businesses and other stakeholders would have an opportunity to participate by submitting comments, and at the end of the proceeding there would be actual rules to follow.

    Although it’s difficult to predict the outcome, one thing is sure – information governance professionals face daily situations where they must decide how to protect and secure information in their custody. They are the ones that will have to respond if there is a data breach that requires the organization to respond and take additional measures.

    In most respects, this is a risk management decision that should be made after balancing a variety of risk factors. It should determine:

    • How much and what types of information does the organization hold?
    • For how long does the organization actually need the information?
    • Is there a reasonable point in time where customer information could be disposed of, once the business need for it is met?
    • What impact would a data loss have on the organization’s reputation and future relationships with customers and shareholders?

    Rather than waiting for new regulations to be issues, organizations should answer these questions and take appropriate actions now. Much more is at stake than the risk of not being in compliance with a potential new regulation.

    ARMA International offers resources that can assist organizations in assessing the risks associated with their information management practices. Check out these publications in the ARMA International online bookstore:

    • Evaluating and Mitigating Records and Information Risks
    • Managing Risks for Records and Information
    © 2017, ARMA International