In a major case that did not get much media attention, actions taken by the Federal Trade Commission (FTC) against Wyndham Hotels and Resorts for failing to protect their customers’ personal information including credit and debit card information was upheld by the Third Circuit Court of Appeals. Following a series of three major data breaches by Russian hackers affecting more than 600,000 credit and debit cards of Wyndham customers, the FTC took action against Wyndham for failing to “maintain reasonable and appropriate data security for consumers’ sensitive personal information.” Wyndham argued in court that the FTC did not have the authority to punish a business for having lax security practices and further argued that the FTC was punishing the victim not the perpetrator of the data breach. Wyndham argued that punishing Wyndham was akin to taking legal action against a supermarket for being “sloppy about sweeping up banana peels.” The Appeals Court judges were not convinced by this argument and in their opinion they wrote that this argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under the FTC Act.”
Wyndham also argued that it should not be punished because its standards for cybersecurity were different from that of the FTC, however again, the Appeals Court judges were unconvinced, saying, “the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points…did not restrict specific IP addresses at all… did not use any encryption for certain customer files… and did not require some users to change their default or factory-setting passwords at all.”
This is a major victory for consumers and a warning to companies that they must do more than give lip service to cybersecurity and protecting the personal information of their customers. As FTC Chairwoman Edith Ramirez said following the decision of the Appeals Court, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies acountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” There is little that we as individual consumers can do to encourage companies to do a better job at protecting our personal information although recent class actions against companies suffering data breaches alleging negligently inadequate security is a start. However, having the weight of the federal government coming to bear on companies on behalf of consumers is a very positive development.