FTC Privacy Enforcement Power Wins Court Blessing - InformationWeek
Government // Cybersecurity
09:06 AM
Connect Directly

FTC Privacy Enforcement Power Wins Court Blessing

The agency's claim against Wyndham Hotels for poor data security practices has been allowed to proceed.

20 Great Ideas To Steal In 2014
20 Great Ideas To Steal In 2014
(Click image for larger view and slideshow.)

Wyndham Worldwide Corporation and its subsidiaries will have to face the Federal Trade Commission in court after a federal judge on Monday rejected the hospitality company's contention that the FTC lacks the authority to regulate its computer security practices.

Judge Esther Salas, US District Judge for the District of New Jersey, ruled that a lawsuit filed in 2012 by the FTC over alleged security shortcomings at Wyndham and its subsidiaries may proceed.

FTC Chairwoman Edith Ramirez said via Twitter that she was pleased the court had recognized her agency's authority to hold companies accountable for safeguarding consumer data. She added that businesses should take steps to secure sensitive consumer information and warned that the agency will take action to make sure companies do so.

The ruling underscores that US privacy regulation isn't inconsequential. In a recently published paper, Daniel J. Solove, a law professor at George Washington University, and Woodrow Hartzog, an assistant law professor at Samford University, note that despite more than 15 years of FTC privacy enforcement, which has resulted in settlement agreements rather than judicial decisions, "FTC privacy jurisprudence is the broadest and most influential regulating force on information privacy in the United States -- more so than nearly any privacy statute or common law tort."

That doesn't sit well with TechFreedom, a tech industry advocacy group, which questioned whether the FTC's approach aligns with the intent of Congress and whether the agency has too much discretion to challenge companies.

The FTC characterizes its lawsuit as an attempt to ensure that companies live up to the promises they make about privacy and data security, specifically statements made in privacy policies and related online statements.

Wyndham insisted on its website that it safeguarded its customers' personally identifiable information "using standard industry practices." FTC contends the hotel group did something less than that.

Between April 2008 and January 2010, the FTC complaint says, hackers accessed the hotel group's property management systems three separate times. The hackers allegedly used similar techniques each time to access personal information, including payment card numbers, expiration dates, and security codes.

All told, according to the complaint, the breaches resulted in the compromise of more than 619,000 payment card account numbers, the export of many of those account numbers to a Internet domain registered in Russia, fraudulent charges on many customers' accounts, and fraud losses totaling more than $10.6 million.

The FTC claims that Wyndham "failed to provide reasonable and appropriate security for the personal information collected and maintained by [the company and its subsidiaries]."

Wyndham Worldwide continued to express confidence in its position.

"It is important to note that the Court made no decision on liability today," Wyndham Worldwide spokesman Michael Valentino said in an emailed statement. "We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. We intend to defend our position vigorously."

Find out how a government program is putting cloud computing on the fast track to better security. Also in the Cloud Security issue of InformationWeek Government: Defense CIO Teri Takai on why FedRAMP helps everyone.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll