The Wyndham Hotel chain was hacked several times going back as far as 2012. The FTC came after the hotel chain using Section 5 of the FTC Act, claiming unfair business practices.
Usually what happens in these cases – and there have been a number of them – is that the company and the FTC come to an agreement; the company signs a consent order and the FTC watches the company closely for the next 10 to 20 years. That’s right. That is not a typo.
That is the downside of getting on the radar of the FTC. 20 years is a long time to have a government agency looking at you with a microscope.
Wyndham decided to take a different approach. They claimed that the FTC Act did not give the FTC authority to regulate cyber security practices. They went even further to say that the FTC did not provide them a cookbook of how to protect the company, so how can they complain that Wyndham wasn’t doing it right. Of course, the 600,000+ credit cardholders that got compromised might not agree with this theory.
In fact, in the Bluemaumau article linked to below, hotel industry consultants pretty much give Wyndham an F in security.
Privacy advocates worried that if the courts agreed with Wyndham, the government would have no effective means to encourage companies to protect their customer’s information.
The decision this week is an appeal of a motion that Wyndham made to the District Court to dismiss the case saying that the FTC did not have authority. On appeal, the Third Circuit Court handed Wyndham their butt:
The court laid out in excruciating detail the allegations against Wyndham: allowing hotels to store payment card information in plaintext, using outrageously easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber attacks. This has led to three reported incidents of major data breaches, with personal data for hundreds of thousands of customers whisked over to servers in Russia. The breaches, which resulted in more than $10 million in fraudulent transactions, were only discovered after customers complained to credit card companies about unauthorized charges.
At this point, Wyndham can appeal the decision, enter into a consent agreement with the FTC or go to trial.
I doubt they want to go to trial because if they do, the practices described above with come out publicly in all their glory and I don’t think Wyndham wants that kind of press coverage.
Hopefully, this will settle the issue as to whether the FTC has authority. If Wyndham decides to appeal then this we will have to wait for that decision.
If Wyndham decides to settle, then we will have to see if the FTC comes down harder on them because they have been fighting them for three years. Even if everyone agrees to the normal 20 year agreement, that means that the executive team at Wyndham will be reminded for the next 20 years of these three breaches.
This is not a ruling on the merits of the case; assuming the two parties don’t settle, that will be decided at trial in the District Court in New Jersey.
Given Wyndham has been fighting this for three years, I would be surprised if they want to continue to spend hundreds of thousands of dollars on legal fees, but who knows.
Stay tuned for more details.
For other businesses, this is a notice that they should review what the FTC has considered unfair in the past and make sure that their security practices are not going to run afoul of those FTC concerns.