Wyndham lawsuit tests FTC's data security enforcement authority
Federal judge in N.J. this week let Chamber of Commerce and others file motion to dismiss suit
Computerworld - A federal court judge in New Jersey on Wednesday agreed to allow the U.S. Chamber of Commerce and several other organizations to seek the dismissal of a closely watched data breach lawsuit filed by the Federal Trade Commission against Wyndham Worldwide Corp.
The groups accused the FTC of holding breached entities like Wyndham to unfair and arbitrary standards and alleged that the FTC is forcing businesses into lengthy data breach settlements and imposing costly fines for violating security standards the agency hasn't even formally promulgated.
In addition to the Chamber of Commerce, others who want the suit dismissed include the TechFreedom, the American Hotel and Lodging Association, National Federation of Independent Businesses and the International Franchise Association.
The amicus briefs, prepared months ago, are related to a data breach lawsuit filed by the FTC against Wyndham and three subsidiaries in June 2012.
The lawsuit alleged that the hotel operator suffered three major data breaches in two years because it had failed to implement reasonable information security measures. The breaches resulted in hundreds of thousands of credit and debit cards being compromised and more than $10.6 million in fraud losses.
The FTC accused Wyndham of unfair trade practices and of deceiving customers into thinking their sensitive cardholder data was \ adequately protected when, in fact, it was not.
Many see the case as a landmark test of the FTCs authority to enforce data security standards on U.S. companies under a section of the FTC Act that prohibits "unfair" and "deceptive" trade practices. Over the past several years, the FTC has used this Section 5 authority to force numerous settlements, or "consent decrees," from companies that suffered data breaches.
In previous cases, the FTC accused the breached entity of engaging in unfair and deceptive trade practices for promising to protect consumer data in their privacy notices, but then failing to do so. Some of the consent decrees have involved considerable fines, lengthy periods of monitoring and third-party security audits.
In 2006 for example, the FTC imposed a $10 million civil penalty against data aggregator ChoicePoint Inc. over a data breach that compromised over 180,000 credit and debit cards. As part of its agreement, ChoicePoint was also required to submit to comprehensive security audits every two years for the next 20 years.
In 2012, online gaming firm RockYou agreed to pay a $250,000 fine and submit to third-party audits for 20 years as part of an FTC settlement over a data breach.
The Wyndham lawsuit marks the first time the FTC has had to go to a federal court because a breached entity refused to settle.
In their legal briefs, the Chamber of Commerce and the others accused the agency of routinely punishing businesses for failing to have reasonable security standards without ever specifying what exactly it considers as a reasonable standard. They also questioned the agency's authority to enforce data security standards under the unfair and deceptive practices provisions of the FTC Act.
"Nothing in Section 5 suggests that Congress intended to give the FTC the authority to regulate data security" the Chamber of Commerce said in its 25-page motion to dismiss.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts