In 2012, the FTC sued Wyndham and three of its subsidiaries after hackers broke into Wyndham’s corporate computer system as well as systems at several of its individual hotels from 2008 to early 2010, resulting in exposure of personally identifiable information, including financial information of hundreds of thousands of its customers. The FTC alleged that Wyndham failed to employ reasonable data security measures to protect the personally identifiable information from theft. It alleged several information security problems at Wyndham and its hotels, including wrongly configured software, weak passwords, and insecure computer servers.
Wyndham argued that the FTC had overstepped its authority because it did not have the power to regulate corporate data security practices. Relying on a law dating back to 1914, the FTC argued that it has broad powers to protect consumers from companies that engage in unfair or deceptive trade practices. The FTC has relied on the law to bring a series of enforcement actions targeting companies’ cyber security efforts.
Ruling on the FTC’s authority, on April 7, 2013, Judge Esther Salas of the U.S. District Court for the District of New Jersey rejected Wyndham’s argument and held that the FTC has authority under the “unfairness” prong of the FTC Act, 15 U.S.C. § 45, to bring an enforcement action to remedy the hotel chain’s alleged unreasonable data security practices. The judge, however, offered no opinion on the underlying merits of the FTC’s allegations against the company. This suit has been widely followed by other corporations, because it could have broad ramifications for the companies whose security systems are breached. This case is especially interesting since Congress has not yet enacted comprehensive data security legislation, an issue that has received increasing attention in the wake of recent major data breaches. The FTC has brought dozens of data security cases, but the overwhelming majority of them were resolved in out-of-court settlements, and, therefore, there is no case law on the issue of the agency’s powers regarding regulation of data security practices by a company.
In July 2014, the U.S. Court of Appeals for the Third Circuit granted Wyndham’s petition for an interlocutory appeal of portions of the district court’s order (FTC v. Wyndham Worldwide Corp., 3d Cir., No. 14-8091, leave to appeal granted July 29, 2014). On November 17, 2014, Judge Salas ordered the FTC and Wyndham to mediation while continuing the appeal simultaneously. Judge Salas opined that mediation “of this civil action would conserve the resources, and be in the best interests, of the Court and the parties.”
Click here to find the order (FTC v. Wyndham Worldwide Corp., D.N.J., No. 2:13-cv-01887, 11/17/14). Watch this space for more news on the outcome of this case and the mediation.