From: NJ.com
Attorneys for Wyndham Worldwide, the Parsippany-based hotel chain, yesterday pressed their case in a Newark court as to why the company shouldn’t face a federal lawsuit over alleged cyber security lapses that let Russian hackers pilfer the credit and debit card numbers of hundreds of thousands of Wyndham customers and ring up more than $10.6 million in fraudulent charges.
The Federal Trade Commission last year sued the hotel chain on the grounds that it had engaged in unfair and deceptive practices because it allegedly assured customers it was using industry-standard practices to protect their data online, when in fact, the agency says, that was not the case. Over two years, hackers repeatedly broke in to the company’s internal networks allegedly because of weak spots in the security of a franchise-owned hotel in Arizona.
At yesterday’s hearing, in which Wyndham sought to have the FTC’s complaint dismissed, attorneys for the hotel chain argued that the agency – which typically polices phony claims about nutritional supplements or credit repair schemes – simply doesn’t have the legal authority to tell companies how they must store customer information online.
“This is not some anti-government polemic,” Wyndham’s lead attorney, Eugene Assaf of Kirkland & Ellis, said at the start of several hours of arguments before Judge Esther Salas. “This is a fair-minded discussion of what they can do around consumer protection as it extends to data security.”
This case is being closely watched by business groups and others because it could define the scope of the FTC’s authority over corporate cyber security, a significant issue to companies that collect and store sensitive customer information.
In his multi-pronged presentation, Assaf argued that the FTC’s role in this area is limited because Congress has never bestowed it with broad powers over cyber security matters, but instead has ordered it to oversee more targeted issues, such as protecting children online and people’s personal information at financial institutions.
Furthermore, Assaf added, even if the FTC had such authority, it has never given the industry notice about what its expectations are in the area, such as through regulations or interpretative guidance. Nor has it offered “safe harbor” provisions that companies can rely upon to know they’re acting correctly.
Leave a Reply