U.S. Court Affirms FTC Authority to Enforce Data Breach Rules

NEWS ANALYSIS: The Philadelphia-based U.S. Third Circuit Court of Appeals finds that the Federal Trade Commission can sue Wyndham Hotels for lax security practices that led to a data breach.

FTC Data Breach Ruling 2

In a decision that cites a litany of basic security blunders, the United States Third Circuit Court of Appeals unanimously found that the Federal Trade Commission has the authority to sue Wyndham Hotels for unfair cyber-security practices that, "taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft."

The decision lists a series of network security practices that came to light after a trio of breaches in 2008 and 2009. The fundamental security blunders include storing payment data customer identifying information in clear, unencrypted text. The company, which uses point-of-sale terminals made by Micro Systems, then made all of the user names and passwords "micros."

The company's network was essentially wide open to attackers because Wyndham apparently didn't feel the need to use firewalls, properly update server and computer software, control what computers attached to the company network or change default user names and passwords.

Network security was so lax that the court observed that Wyndham was unable to tell for sure that it had been hacked and when the event became obvious (because its customers' identities and credit card information were being sold online) it was at a loss to figure out how it happened.

For its part, Wyndham was challenging the FTC's authority to punish it for its security failings. The FTC began enforcing security practices in 2005 in conjunction with its charter that it protect consumers. Since then, companies that have been found not to be in compliance with reasonable security practices have settled with the FTC, signed consent agreements and beefed up their security practices.

Wyndham, however, decided to challenge the FTC through the courts using tactics that the court itself called "alarmist." Among other things, Wyndham argued that it was the victim of the hackers and that consumers weren't harmed. But the court's decision noted that it was clear that Wyndham customers' credit card numbers and their identities were stolen after the data breach.

The judges lapsed into Latin to ridicule some of the hotel chain's arguments. "Wyndham posits a reductio ad absurdum," or resorts to the absurd, when arguing that the FTC was exceeding its legal authority in regulating IT security standards.

The company argued that if the FTC's unfairness authority extends to Wyndham's conduct, then the FTC also has the authority to 'regulate the locks on hotel room doors, . . . to require every store in the land to post an armed guard at the door,'… and to sue supermarkets that are 'sloppy about sweeping up banana peels.'"

"The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under §45(a)", which is the part of the U.S. code that prohibits unfair practices.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...