Case Study: FTC versus Wyndham Worldwide Corporation

Case Study: FTC versus Wyndham Worldwide Corporation

Let’s consider the case of Federal Trade Commission v. Wyndham Worldwide Corporation, a civil suit brought in the District of Arizona by the Federal Trade Commission (FTC). The case relates to a cybersecurity breach at Wyndham. The FTC sued the hospitality company and three of its subsidiaries because of data breaches where millions of dollars of fraudulent charges on consumer credit and debit cards were incurred. To understand why the case matters quite a bit, we need to step back and understand the role of FTC.

The FTC has two grounds on which it can bring a civil lawsuit. One is an allegation of deception—in other words an argument that some consumer service organization (like, say, Wyndham Hotels) had made representations to the consuming public that were false. As you may imagine, allegations of that sort are often very fact-specific and tied to particular circumstances.

The second ground for FTC enforcement is a broader one—that a company has engaged in “unfair” business practices—in other words, that a company “caused or [is] likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.”

The FTC suit against Wyndham is tied to a breach of Wydham’s computer systems by a Russian criminal organization that allegedly resulted in more than $10 million in fraud losses. It seeks a permanent injunction, directing Wyndham to fix its cybersystems so that they are more secure and unspecified damages.

The suit asserts two grounds for FTC jurisdiction. It first alleges that Wyndham’s privacy policy about how they will maintain the security of information about their customers is deceptive—in other words that Wyndham made cybersecurity promises it couldn’t keep. The suit also alleges that systematically Wyndham’s failure to provide adequate cybersecurity for the personally identifiable information of its customers is an unfair business practice.

This type of lawsuit by the FTC is not unusual. These legal theories have been the foundation, for example, of the FTC’s investigation of Google, Twitter, and HTC, and its investigation of data breaches at large consumer companies like Heartland. In almost all of these cases, the FTC deploys some combination of the argument that a company has misled the public about the nature of its cybersecurity (“deception”) or that it has failed to invest adequately in cybersecurity measures (“unfair practices”). Until now, all of these actions have resulted in out-of-court settlements, leaving the validity of the FTC’s legal theories untested.

FTC’s efforts are the only effective aspect of a federal program to compel the business community to adopt more stringent cybersecurity measures. While opinions are divided as to if the effects of FTC efforts are good or bad, it is indisputable that the outcome where companies are paying credence to the possibility of a lawsuit have increased. Since cybersecurity legislation is still to come in the future, and the administration’s executive order remains in development. The FTC is the only effective game in town.

But now—in the Wyndham case—the FTC’s authority is being questioned. As the Wall Street Journal reported, Wyndham is challenging the basic premise of the FTC’s suit, arguing that consumer protection statutes cannot be stretched to cover cybersecurity issues. Wyndham has argued that the lawsuit exceeds the FTC’s enforcement authority—a position supported by the Chamber of Commerce.

The principal evidence that the FTC may be acting beyond its authority is its own report from 2000, in which it asked Congress to expand its legal authority to consider security breaches as consumer-protection issues. Congress has never acted on that request, but the FTC has decided to proceed anyway. Indeed, as Wyndham notes, there are a host of more specific data-security laws already on the books (HIPAA; COPPA; Graham-Leach-Bliley; Fair Credit Reporting), suggesting that the FTC is acting beyond its remit as a regulatory authority.

Now, we can see why this is a significant matter. In the absence of comprehensive cybersecurity legislation and while we are waiting for the cybersecurity standards of the executive order to be developed, the only effective method for cybersecurity regulation by the government is to use the FTC’s enforcement authority. If, in the end, it turns out that the FTC lacks the authority it has been asserting, then the government will be without any real authority to compel cybersecurity improvements. Some will see that as a victory, and others will see that as a defeat, but either way it will be quite important. (Note: The Third Circuit eventually decided the case in favor of the FTC.)

· 1. Comment on the authority and responsibility aspects of different legislations. What is the best way to give cybersecurity responsibility to an agency and yet have the authority to execute?

· 2. In situations like that of the FTC, what kind of regulations should be developed so as to oversee follow-through in cybersecurity cases?

· 3. As technology evolves, what should be done for the organizations to comply with the legislations?


Comments are closed.