Legal Showdown on Cybersecurity

Editor’ Note: For background on this story, see here.

From: Wall Street Journal

Hotelier Wyndham Challenges FTC’s Authority to Police Corporate Data Practices

By BRENT KENDALL

When hackers broke into computer systems at Wyndham Worldwide Corp. and several of its hotels, they allegedly stole payment-card numbers for hundreds of thousands of consumer accounts.

They also sparked a high-stakes legal battle over whether a federal agency can use its consumer-protection powers to police cybersecurity practices at American companies.

The Federal Trade Commission sued Wyndham and three subsidiaries in the wake of the data breaches, alleging that the hotelier followed lax data-security practices that unnecessarily exposed customers’ data to theft. It is asking a federal court to require Wyndham to do better—and to “redress injury” caused by the hacking, which took place from 2008 to early 2010.

Wyndham has asked Judge Esther Salas at the U.S. District Court in Newark, N.J., to throw out the agency’s complaint, saying the lawsuit amounts to an unprecedented power grab in which the FTC is seeking to hold businesses responsible for hacking, rather than the hackers themselves.

“This is the Internet equivalent of punishing the local furniture store because it was robbed and its files raided,” Wyndham said in a recent court filing.

To make matters worse, the company said, the FTC brought the case without ever providing companies with any guidance on what security practices they should adopt.

Congress has yet to give any Washington agency explicit authority to regulate corporate cybersecurity in general or order companies to beef up the security of their systems. So, the FTC has stepped into the breach, citing its long-standing power to protect consumers.

The agency has brought more than a dozen cybersecurity enforcement actions against companies including Twitter Inc. and a U.S. unit of mobile-device maker HTC Corp., 2498.TW +0.72% on the premise that the companies engaged in unfair or deceptive practices because they didn’t do enough to protect consumers.

In the 2010 Twitter case, the FTC alleged that security lapses at the social-networking service allowed hackers to access private user data and send out phony tweets.

In the HTC case, from February, the agency said the company didn’t take reasonable steps to secure software developed for its smartphones and tablet computers. Twitter and HTC said they have addressed the security issues involved.

The recent actions, which were supported by both the agency’s Democratic and Republican commissioners, produced out-of-court settlements.

That means no judge weighed in on the scope of the FTC’s powers, potentially setting up the Wyndham case as the first big legal test.

“If the FTC loses, it’s going to have a hard time bringing these cases,” says D. Reed Freeman, a lawyer with Morrison & Foerster LLP who counsels companies on privacy and data-security matters.

The FTC lawsuit, filed last June, alleged that several information-security problems at Wyndham hotels, including wrongly configured software, weak passwords and insecure computer servers, made consumers’ payment-card numbers more vulnerable to hacking. The agency said card numbers were sent to an Internet domain registered in Russia, and the hacking led to millions of dollars in fraudulent charges.

Wyndham’s data practices ran counter to its public statements that it took appropriate measures to protect personal information, the FTC said.

The agency based its case and others like it on its authority under Section 5 of the Federal Trade Commission Act, a broadly written law first enacted in 1914 that authorizes the commission to act against a company that harms consumers by taking unfair or deceptive action.

Wyndham, which declined to comment beyond its court papers, said in legal filings that it worked with law-enforcement agencies, hired computer forensic experts and took several remedial measures to address the security breaches.

The company said that to its knowledge, no hotel guest suffered financial injury, and the hackers were never apprehended “or even seriously pursued.”

The company said data-security standards should be decided in the political arena, where Congress is debating legislation and already has enacted security requirements for financial institutions, health-care providers and others.

“In light of the important economic and political considerations involved in establishing data-security standards for the private sector…it defies common sense to think that Congress would have delegated that responsibility to the FTC—particularly through a 1914 statute that does nothing more than forbid ‘unfair’ practices,” Wyndham said in a filing.

FTC Commissioner Julie Brill, a leading advocate of the commission’s approach to protecting consumer information, said in an interview that Congress intended the agency to have flexibility to use its consumer-protection powers to fill in enforcement gaps in other laws. The FTC’s data-security cases “fit well within that congressional intent,” she said.

The FTC often applies the law without controversy to stop clearly unscrupulous business activity, but it has faced criticism when it has interpreted the measure more broadly. In the 1970s, it considered such moves as banning television advertising aimed at children, prompting a political backlash that took a generation to subside.

Wyndham’s challenge to the commission’s powers has attracted the interest of several business groups, including the U.S. Chamber of Commerce.

They filed friend-of-the-court briefs raising the specter of the FTC’s aggressiveness in the 1970s to argue against the agency.

In a court filing, the FTC said its suit against Wyndham was a standard case “against an entity that failed to undertake reasonable measures to protect information that it collected about consumers.”

The agency is set to file its latest response to Wyndham’s request for a dismissal later this month.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published.

Please Answer: *