Court to Review FTC's Security AuthorityWyndham Worldwide Case Stems from Card Breaches
The U.S. Court of Appeals for the Third Circuit has agreed to hear Wyndham Worldwide's appeal regarding what authority the Federal Trade Commission has over corporate data security. The dispute stems from a suit the FTC brought against the hotel chain following three breaches that exposed stored payment card details for nearly 670,000 accounts (see: FTC Sues Hotel Chain for Card Breaches).
See Also: HIPAA Audits: A Revised Game Plan
The appellate court has not yet scheduled a hearing.
"We are pleased that the United States Court of Appeals for the Third Circuit has granted an appeal in this case," a spokesperson for Wyndham Worldwide tells Information Security Media Group. "We continue to believe that the FTC lacks the authority to regulate data security and has failed to provide any standards by which it is attempting to hold companies accountable. A number of other organizations in the business and data privacy communities have expressed their support for our position, which we will continue to defend vigorously."
The FTC also is facing Congressional scrutiny of its data security enforcement activities. At a recent hearing, a House panel reviewed FTC investigations in the healthcare arena (see: Examining FTC's Data Security Enforcement).
The appellate court's decision to hear the Wyndham Worldwide case highlights the importance of the issues involved for "virtually every business," says Christin McMeley, partner in the the privacy and security practice at law firm Davis Wright Tremaine. The case "raises very legitimate questions about the FTC's authority to regulate at all in this space, and, if it does have such authority, whether the commission should establish clear security standards through a rulemaking process versus through enforcement."
Two Key Questions
Wyndham Worldwide, in its petition for appeal, is seeking to answer two questions: whether Section 5 of the Federal Trade Commission Act grants the FTC general authority over corporate data security; and whether the FTC has provided adequate notice of what Section 5 requires with respect to corporate data security.
"If ever a case warranted ... appellate review, this is it," Wyndham said in its petition. "This case presents important questions of first impression about the scope of a federal agency's authority to regulate a vast sector of the American economy and the extent to which such regulation comports with fundamental principles of fair notice and due process."
The FTC also welcomed the appellate court's decision to hear Wyndham's appeal. "In the FTC's longstanding view, it has ample authority to proceed against companies for unreasonable data-security practices that harm consumers," a spokesperson said. "We agreed to immediate appellate review of the district court's decision upholding that authority because the public would benefit from a prompt appellate decision removing the legal uncertainty that Wyndham is attempting to generate over that authority to protect consumers."
The appeal follows an April 7 federal district court ruling denying Wyndham's motion to dismiss the FTC lawsuit. That court determined that the commission has authority under the FTC Act to bring an enforcement action against Wyndham to remedy its "unreasonable" data security practices, Bloomberg BNA reported.
Wyndham Breaches, Lawsuit
The FTC claimed in a 2012 statement that Wyndham's alleged security gaps allowed hackers to infiltrate the hotel chain's network on three separate occasions in less than two years and export card details. The exported data was traced to an Internet domain address registered in Russia.
Wyndham-branded hotels use property management computer systems that handle card transactions and store information, such as card account numbers, expiration dates and security codes, according to the FTC. The FTC alleges millions of dollars in fraud losses resulted from the three breaches, which are believed to have occurred in 2008 and 2009.
The FTC claims Wyndham and its subsidiaries failed to implement standard security measures, such as complex user IDs and passwords, firewalls and network segmentation between hotels and the corporate network. Additionally, the FTC says improper software configurations used by the hotel chain and its subsidiaries resulted in the improper storage of sensitive card information in clear readable text. The storing of sensitive payment card information violates the Payment Card Industry Data Security Standard, the FTC notes.
Darrell Issa, R-Calif.
At a July 24 hearing, members of the House Committee on Oversight and Government Reform considered the issue of whether the FTC was acting appropriately in its recent investigations of alleged healthcare data breaches.
"Safeguards are needed for how FTC looks at allegations" of unfair business practices involving data security, Committee Chairman Darrell Issa, R-Calif., said at the hearing. "Cybersecurity is not a hard science, you can be sure."
Testifying at the hearing was Michael Daugherty, CEO of LabMD, an Atlanta-based medical lab testing firm that's been, like Wyndham Worldwide, embroiled in an ongoing data security dispute with the FTC over data security practices. The FTC has been pursuing an enforcement action against LabMD for alleged unfair business practices related to the two separate data security incidents.