PhotoWhere news headlines are concerned, “Hackers breach corporate security, steal massive amounts of confidential customer data” has been depressingly commonplace for years now. And such reports are almost always followed by a round of financial hot potato, as the people and organizations involved all argue — with varying degrees of justification — that the costs of repairing the damage should be borne by someone else, not them.

So who is responsible for such costs, and who has legal authority to enforce these responsibilities? Such matters haven't always been easy to decide, because the Internet and related technologies keep changing and evolving faster than the law can keep up. But yesterday's ruling by a federal appeals court in Philadelphia has arguably offered an answer.

Federal Trade Commission takes charge

Specifically, the appeals court ruled that the Federal Trade Commission can move forward in its lawsuit against vacation-resort company Wyndham Worldwide Corporation, despite Wyndham's counter-argument that the FTC lacks authority over such matters.

In June 2012, the FTC filed a complaint against Wyndham and three subsidiaries for “alleged data security failures that led to three data breaches at Wyndham hotels in less than two years.” These breaches, in turn, led to fraudulent charges on consumers’ accounts, millions of dollars in losses, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia, according to the FTC.

That said, the FTC's complaint isn't based so much on the fact that Wyndham was triple-hacked, but that its privacy policy “misrepresented the security measures that the company and its subsidiaries took to protect consumers' personal information.”

The FTC's June 2012 court complaint, available as a .pdf here, quotes extensively from Wyndham's own posted privacy policy, which of course swears that it “recognize[s] the importance of protecting” customers' privacy. As quoted by the FTC, Wyndham promised consumers that “We safeguard our Customers’ personally identifiable information by using standard industry practices. Although 'guaranteed security' does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain 'fire walls' and other appropriate safeguards ….”

That's what Wyndham said it would do. According to the FTC's lawsuit, here's a sampling of what it actually did: “failed to use readily available security measures to limit access between [various Wyndham hotel networks] and the Internet, such as by employing firewalls; allowed software ... to be configured inappropriately, resulting in the storage of payment card information in clear readable text; failed to [have] implemented adequate information security policies and procedures …. failure to remedy known security vulnerabilities....” and six additional listed failures, for a total of ten.

Wyndham security complaints

As a result of these lax measures, the FTC went on to assert, hackers were able to breach Wyndham's network three times between April 2008 and January 2010, using similar techniques each time, yet “After discovering each of the first two breaches, Defendants failed to take appropriate steps in a reasonable time frame to prevent the further compromise of the Hotels and Resorts' network.”

At a court hearing last March, Wyndham did not deny any of the FTC's claims. Instead, it argued that the FTC should not penalize the company, since Wyndham itself was a victim of a crime. Furthermore, Wyndham said, if the FTC has the authority to regulate a hotel's data security practices, then it has the authority to “regulate the locks on hotel room doors.”

But the court called this argument “alarmist” and said it “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

For what it's worth: although ConsumerAffairs' own review archives does show a slew of complaints about Wyndham – eight received in August 2015 alone, with a week yet to go in the month – the bulk of those complaints deal with typical time-share problems: aggressive or dishonest hardsell tactics, inflated maintenance fees, substandard amenities, and the like.

But scattered here and there is the occasional complaint suggesting issues with the company's handling of data security problems. In May 2011, Huma of Wayne, New Jersey wrote us to say that “A charge of 115$ was made by minors on my Wyndham Rewards Visa; they are run by Barclay Bank apparently. I complained to the vendor and the credit card customer service department. I was told that the charge would be removed if I provided proof of not having received item.”

However:

after I provided the proof of not having the item, they started quoting me some ** about the time having expired for a dispute although there is nothing like this on their site nor were any letters sent to me, indicating that I had a certain time limit to dispute this case. The customer service reps are rude, misinformed and it takes almost 30 minutes to get connected to the right department after they ask you about your issue several times.

I am warning everyone not to sign up for Wyndham Rewards since this is how this nightmare started. They promise you a free hotel night to sign up for the card. Once you sign up, you have to make additional purchases to qualify for the points and then when you try to redeem them, their system is always down, or you have to wait 20+ minutes to speak with a rep about your account. It's not worth the time and frustration!

Regulating "cybersecurity"

Yesterday, when the Philadelphia appeals court ruled that the FTC does have authority to sue Wyndham, it also noted that the FTC might be able to pursue “cybersecurity” cases under 15 U.S.C. Sec. 45 which, among other things, grants the FTC power to prohibit “unfair or deceptive acts or practices in or affecting commerce.”

After the court ruling yesterday, FTC Chairwoman Edith Ramirez said in a statement that the decision “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”


Share your Comments