On Monday, a federal appeals court held that the Federal Trade Commission (FTC) could move forward with its enforcement actions against Wyndham Worldwide Corporation (Wyndham) alleging that Wyndham did not take “reasonable and appropriate” steps to prevent a cyber security breach.
On three occasions between 2008 and 2010, hackers gained unauthorized access into Wyndham’s computer network, as well as the computer networks of several Wyndham-branded hotels. The hackers compromised payment-card information that Wyndham had collected from customers. After a two-year investigation into Wyndham’s data security practices, on June 26, 2012 the FTC filed a lawsuit in federal court alleging that Wyndham had engaged in “unfair ... acts or practices” in violation of the Federal Trade Commission Act 15 U.S.C. § 45(a), by failing to take “reasonable and appropriate” measures to protect the data stolen by the hackers. The FTC accused Wyndham of lax cyber security measures, including using easy to guess passwords, failing to encrypt data, and failing to use firewalls to protect confidential information. In the suit, the FTC seeks an order preventing Wyndham from future violations and reimbursement of the FTC’s costs in bringing the lawsuit.
Wyndham moved to dismiss the case, arguing, among other things, that the FTC did not have the power to regulate cyber security and, even if it did, Wyndham was not given proper notice of what cyber security measures it was supposed to take. In April 2014, the federal trial court presiding over the case rejected Wyndham’s motion to dismiss the charges.
Wyndham appealed the trial court’s order to the Third Circuit Court of Appeals. Wyndham was joined in its appeal by a number of outside groups, including the United States Chamber of Commerce, the American Hotel & Lodging Association, and the National Federation of Independent Business. The FTC was joined in its opposition to Wyndham’s appeal by a number of consumer advocacy groups, such as Public Citizen, Center for Digital Democracy, Consumer Action, Center for Democracy & Technology, Electronic Frontier Foundation, and the Electronic Privacy Information Center.
On Monday, the appeals court agreed with the trial court and ruled that the case against Wyndham could go forward.
This ruling potentially subjects any hotel manager to legal action by the FTC in the wake of a cyber attack if the manager’s cyber security measures are not seen as “reasonable and appropriate” by the FTC. As such, hotel operators must be vigilant in their protection of sensitive customer data. In turn, hotel owners also should monitor costs being charged through by operators, because there is a risk, which is already materializing, that some management companies will take advantage of their access to and control over information to pass through as “operating expenses” the costs incurred to investigate and remediate network intrusions that happen at the management company level.
A copy of the Third Circuit Court of Appeal’s decision can be found here.