The
Federal Trade Commission can proceed with its data breach lawsuit against
Wyndham Worldwide Corp. after an appeals court this week denied Wyndham’s
request to dismiss. The FTC alleges the hotel franchiser has failed to protect
consumer data.
The court’s
decision "reaffirms the FTC’s authority to hold companies accountable for
failing to safeguard consumer data,” the FTC said in a statement. “It is not
only appropriate, but critical, that the FTC has the ability to take action on
behalf of consumers when companies fail to take reasonable steps to secure
consumer information.”
Wyndham did not respond to comment.
How The Case Started And Progressed
Following three data breaches between 2008 and 2009, the FTC
filed a complaint in 2012 against Wyndham for failing to protect consumers’
personal information. The breaches, according to the court filing, compromised
more than 500,000 payment card accounts, resulting in the export of “hundreds of
thousands” of account numbers to a Russian-registered domain and $10.6 million
in fraud.
“Since at least April 2008, defendants failed to provide
reasonable and appropriate security for the personal information collected and
maintained by [Wyndham properties] by engaging in a number of practices that …
unreasonably and unnecessarily exposed consumers’
personal data to unauthorized access and theft,” the FTC alleged.
Those missteps included failure to enforce complex user IDs
and passwords, lack of firewalls and storage of sensitive card information
without encryption, according to the filing. The FTC further claimed, “After
discovering each of the first two breaches, defendants failed to take
appropriate steps in a reasonable time frame to prevent the further compromise
of the Hotels and Resorts’ network.”
The FTC requested that the court issue a permanent injunction to prevent future
violations and that the court award refunds and other relief to affected
consumers and require Wyndham to pay for court costs.
In response, Wyndham filed a motion to dismiss the case,
questioning the FTC’s authority and arguing it violated “fair notice
principles” by claiming violations before formally declaring regulations.
Wyndham further argued that the FTC failed to satisfy federal pleading requirements.
A U.S.
district court denied Wyndham's motion in April 2014, writing: “This decision
does not give the FTC a blank check to sustain a lawsuit against every business
that has been hacked. Instead, the court denies a motion to dismiss given the allegations
in this complaint—which must be taken as true at this stage—in view of binding
and persuasive precedent.”
The hotel company appealed with additional questions
regarding the FTC’s authority to bring a data claim to court and whether it
must declare regulations formally before it could claim violations had
occurred. That
June, the court once again denied Wyndham’s motion to dismiss, but it did grant
a motion for review by an appeals court, which heard the appeal in March 2015. That
court upheld the decision on Monday.