CybersecurityGovernment’s authority to protect consumer privacy questioned

Published 4 March 2015

A case in the U.S. Court of Appeals for the Third Circuitin Philadelphia could determine what authority the federal government has in protecting consumer privacy on the Internet. Hotel giant Wyndham Worldwide Corp. argued in court that the Federal Trade Commission(FTC) unlawfully tried to enforce cybersecurity standards when the agency brought a case against Wyndham after hackers allegedly stole data from hundreds of thousands of customer accounts in a series of attacks between April 2008 and January 2010.

A case in the U.S. Court of Appeals for the Third Circuit in Philadelphia could determine what authority the federal government has in protecting consumer privacy on the Internet.

Yesterday, in FTC v. Wyndham Worldwide, Hotel giant Wyndham Worldwide Corp. argued that the Federal Trade Commission (FTC) unlawfully tried to enforce cybersecurity standards when the agency brought a case against Wyndham after hackers allegedly stole data from hundreds of thousands of customer accounts in a series of attacks between April 2008 and January 2010. “Ultimately, the breach led to the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia,” the FTC said.

Wyndham is looking to have the appeals court dismiss the FTC’s complaint and should the company succeed, the FTC could lose its ability to bring cases against companies with lax consumer data security standards.

According to the Wall Street Journal, the FTC contends that lax data security standards allowed the breach to happen, but attorneys for Wyndham argue that Congress never gave the FTC authority to regulate data privacy. Previous FTC actions on cybersecurity were based on the agency’s authority to prevent “unfair” and “deceptive” business practices. Poor cybersecurity, the agency argues, “unreasonably exposes consumers to substantial injury they cannot reasonably avoid” and is just the sort of practice Congress empowered them to prevent. Wyndham has denied having lax cybersecurity standards and says that the FTC’s privacy enforcement represents an illegitimate power grab. “As a matter of law and common sense, a business cannot be deemed to have engaged in an “unfair” practice where, as here, that business itself was the victim of criminal conduct by others,” the company wrote in a brief to the court.

Wyndham vice president for marketing and communication, Michael Valentino, recently told the E-Commerce Times that “at the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services. To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks.”

David Vladeck, former FTC director of consumer protection, said dismissing the agency’s case would “leave a vast area of the law without a regulatory authority.” He believes the FTC is likely to win the case, but should the courts limit the agency’s ability to regulate cybersecurity, state authorities would pursue data privacy cases instead; the result of which could be bad for companies. While the FTC can issue an order forcing a company to improve cybersecurity standards, it cannot issue civil fines, but state attorneys can. “You’d end up with a landscape that’s far less favorable to companies,” Vladeck said.