The Federal Trade Commission's power to bring consumer protection suits against businesses whose computer systems are hacked is under scrutiny in federal court in Newark.
Wyndham, joined by the Chamber of Commerce and other amici, has moved for dismissal on the ground that the FTC is overreaching its statutory authority by trying to establish and enforce data security standards for the entire private sector.
The hotelier calls the suit, FTC v. Wyndham Worldwide Corp., 13-cv-1887, unprecedented and based on an "untenable theory of agency jurisdiction, saying the FTC is attempting to exercise "a general police power over data security matters."
Wyndham claims Congress has declined to take such a sweeping approach but has instead enacted at least 10 laws that empower particular agencies to set data security standards in "certain narrow sectors of the economy." Examples are the Gramm-Leach-Bliley Act, for the financial sector, and the Health Insurance Portability and Accountability Act, covering health-care providers.
The agency either cannot or will not be specific about what it did wrong or let the business community know what they must do to avoid a similar lawsuit, says Wyndham.
The FTC insists that it is acting within its legislated powers and that it possesses long-established authority to protect consumers' data from identity theft and other harms stemming from unreasonable data security.
It contends that Wyndham's challenge "reads a data security exception into the FTC Act."
The FTC claims Wyndham customers suffered more than $10.6 million in fraud loss as a result of the hacking, contrary to Wyndham's assertion that the agency knows of no hotel guest financially injured,
The complaint contains two counts under Section 5(a) of the Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce," one alleging deceptive practices and the other unfair ones.
The FTC seeks a permanent injunction to prevent future breaches plus redress for the harm suffered by customers, including but not limited to, rescission or reformation of contract, restitution, refund of monies paid and disgorgement of ill-gotten funds.
The three data breaches at issue are believed to have been perpetrated by cybercriminals from Russia who have yet to be apprehended.
The first occurred in April 2008, after hackers gained entrée to the local computer network of a Wyndham-branded hotel in Phoenix, Ariz.
The FTC describes the ensuing "brute force attack," in which the hackers guessed multiple user IDs and passwords to get into the Wyndham network, where they installed "memory scraping" malware and accessed payment card information stored without any encryption.
Even though the attack took several days and resulted in 212 account lockouts — triggered by multiple failed logins — Wyndham was unable to determine the physical location of the computers involved because it had no adequate inventory of the machines on the network and thus, did not learn the network has been compromised until almost four months later, the FTC claims.
Even then, Wyndham allegedly failed to fix known security vulnerabilities, employ reasonable measures to detect unauthorized access or follow proper incident response procedures, enabling two more successful hacks in 2009.
Ultimately, more than half a million accounts were exposed and the information was exported to a domain registered in Russia, and used to make fraudulent purchases on the accounts, the FTC says.
Wyndham paints a different picture, asserting it had "substantial security measures" to prevent such attacks and responded to them by alerting law enforcement agencies, hiring computer forensic experts and implementing "significant remedial measures."
The case was originally filed on July 26, 2012, in federal court in Arizona against Wyndham Hotels and Resorts and three related entities, all based in Parsippany.
U.S. District Judge Paul Rosenblatt transferred it to New Jersey on March 25 because the company's data security program was mostly devised, implemented and managed in New Jersey and most key witnesses are here.
The Chamber of Commerce, Retail Litigation Center, American Hotel and Lodging Association and the National Federation of Independent Businesses have filed an amicus brief supporting dismissal.
"Permitting the FTC to proceed on a theory that suffering a data breach is an 'unfair' trade practice would expose every business in America to the potential for a government enforcement action whenever that business suffers a cyber-attack or other incident that potentially compromises personal data," says the brief, filed by Hogan Lovells in New York City.
Another group of amici seeking dismissal — TechFreedom, International Center for Law and Economics and self-designated "consumer protection scholars" Justin Hurwitz, Todd Zywicki and Paul Rubin — argue that courts should "demand that the FTC develop the law of data security through rulemakings, and other forms of guidance to give companies advance notice of how unfairness applies to them."
That group, represented by Stephen Orlofsky of Blank Rome in Princeton, a former federal judge, adds that a court holding that the FTC's enforcement of Section 5 is vague as applied to Wyndham would serve as a catalyst for the FTC to change its approach.
On the other side of the issue are amici Public Citizen and Chris Hoofnagle, who teaches courses on the FTC's regulation of privacy and on computer crime law at the University of California's Berkeley School of law.
Hoofnagle says Wyndham's motion is but the latest instance in which an industry has tried to fight an FTC enforcement action by arguing that the agency "should simply police common-law wrongs" and has no power to determine what is unfair and deceptive.
The FTC website lists other data security cases. Most recently, a settlement approved in May resolved charges that inadequate security practices at Cbr Systems, a cord blood bank, led to exposure of Social Security numbers and debit and credit card information of nearly 300,000 consumers.
FTC spokesman Peter Kaplan declines comment.
Wyndham's attorney, Jennifer Hradil of Gibbons in Newark, did not return a call.
The motion is pending before U.S. District Judge Esther Salas.