Hotel chain says FTC has no right to police its data security methods

Wyndham Worldwide has requested the lawsuit be thrown out

Given the conflicting and slipshod ways cybersecurity is implemented by companies, you might think federal intervention on the matter would be appreciated. But hotelier Wyndham Worldwide was distinctly lacking in gratitude when the Federal Trade Commission filed administrative action against them in June of 2012 for their failure to secure a data breach.

The suit alleges that the Wyndham’s policies, including its password protection and network configuration methods increased the vulnerability of systems and allowed hackers to access the credit card information of its customers. As a result of the breach, Russian hackers were able to make millions of dollars in fraudulent charges between 2008 and 2010.

But Lawyers at the Wyndham say the FTC and Congress have no right to police the cybersecurity policies of any institution, and that there has never been a formal set of laws in place to do so. They requested that the lawsuit, which required the company to reevaluate its protection plans and compensate the consumers affected, be thrown out on these grounds during the opening arguments of the case on Nov. 8.

"I'm not disputing that data security is an important issue," said Eugene Assaf, a lawyer for Wyndham said. "My quarrel is that the FTC is actually not the agency that's supposed to be doing it."

While the FTC cites its longstanding responsibility to protect its consumers, the lack of cybersecurity benchmarks means that its attempts to do so are questionable. Whether or not they have the point of reference to make such suggestions about data protection is the major point of contention for the Wyndham.

Whether or not they have the ability to bring a lawsuit as an extension of their role as consumer advocates, the FTC has been increasingly litigious on the subject. In recent years, it has brought suit against tech companies like Twitter and HTC.

While no framework for cybersecurity code currently exists, the National Institute of Science and Technology recently unveiled its plans to build one out. The NIST has made a preliminary plan that can be scaled to fit the needs of an organization, and currently has It open for comment to see if it can withstand the scrutiny of experts.


Cybersecurity is a growing concern for businesses, read more about it here:

U.S. agencies show ‘limited’ progress in improving cybersecurity measures

Cybersecurity a top concern for general counsel

NIST releases proposed cybersecurity framework

Executive Editor

author image

Chris DiMarco

Chris DiMarco, Executive Editor of InsideCounsel magazine, has a background in multimedia production with previous involvement in projects in which he developed and created content...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.