The Federal Trade Commission has surmounted the first hurdle in a case that tests its authority to sue companies over data breaches that compromise consumers’ personal information.
The FTC has brought administrative actions over such lapses but its suit against Wyndham Hotels and Resorts, which survived a motion to dismiss on Monday, is the first to be filed in a court.
U.S. District Judge Esther Salas in Newark, in a published opinion, rejected Wyndham’s “invitation to carve out a data-security exception” to the FTC’s ability to bring unfair practices claims.
But Salas cautioned that her decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.”
The suit was brought over three data breaches in Wyndham’s network between April 2008 and January 2010, which compromised more than 619,000 consumer card account numbers.
The FTC alleges the hackers first gained access to the system of a Wyndham-branded hotel in Phoenix. From there, they guessed user IDs and passwords to get into the Wyndham network, where they installed “memory scraping” malware and obtained payment card information that was stored without any encryption.
Though that initial attack took several days and resulted in 212 account lockouts — triggered by multiple failed logins — Wyndham was unable to determine the physical location of the computers involved because it had no adequate inventory of the machines on the network and thus, did not learn the network has been compromised until almost four months later, the FTC claims.
Even then, Wyndham allegedly failed to fix known security vulnerabilities, employ reasonable measures to detect unauthorized access or follow proper incident response procedures, enabling two more successful hacks, the FTC says.
Much of the exposed account information—customer names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates and security codes—was allegedly exported to a domain registered in Russia and used to make more than $10.6 million in fraudulent purchases, the FTC says.
Its complaint, filed in Arizona and transferred to New Jersey, where Wyndham is based and allegedly developed and manages its data security protocols, says the hotel chain violated Federal Trade Act §5(a), which prohibits unfair or deceptive practices.
Wyndham moved to dismiss for failure to state a claim, arguing that the FTC lacks power to bring an unfairness claim over data security and that its failure to adopt regulations before bringing the suit violates fair notice principles.
Wyndham called the FTC’s suit “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided.”
It contended there is no general power to enforce data security beyond what Congress has provided for in laws dealing with narrow sectors of the economy such as credit agencies, the financial services industry and health care providers.
It further argued that the FTC’s efforts were inconsistent with pending legislation—the Cyber Intelligence Sharing and Protection Act–that would create “comprehensive cybersecurity performance requirements.”
Wyndham also relied on FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120 (2000), where the U.S. Supreme Court held that the Food & Drug Administration could not regulate tobacco. Salas distinguished the case, saying Congress had enacted specific measures to regulate tobacco that precluded the FDA, in contrast to the data security laws cited by Wyndham, which seem to complement rather than preclude the FTC’s authority.
Salas did not see the lack of FTC rulemaking on data security as barring an enforcement action for lack of notice.
Wyndham further attacked the complaint on the basis that the statute defines an unfair act as causing or likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves,” arguing that consumer injury from theft of payment card data is never substantial, due to the $50 cap on liability for unauthorized use, and always avoidable, in that the charges can be rescinded.
Salas disagreed, saying she had to accept as true for the motion the FTC’s allegations of substantial harm in the form of unreimbursed fraudulent charges, increased costs, and lost access to funds or credit, as well as time and money spent resolving those charges and mitigating subsequent harm.
In addition, she found adequate pleading of causation based on allegations about measures Wyndham could have used to safeguard customer data, such as complex user IDs and passwords, firewalls, network segmentation between the 90 or so individual hotels and the corporate network and encryption of stored data.
The deception count also survived the motion. Salas held it met even the heightened Rule 9(b) standard for fraud claims based on allegations that Wyndham’s website stated it took “commercially reasonable efforts’ to shield customer data.
Still pending is a separate motion to dismiss filed by Wyndham Hotels’ corporate parent and siblings, which assert there is no claim their systems were breached and they cannot be held liable under a common-enterprise theory.
Wyndham’s attorney, Jennifer Hradil of Gibbons in Newark, referred a request for comment to Wyndham, whose spokesman Michael Valentino says, “We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security.”
FTC Chairwoman Edith Ramirez said, “I’m pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data, and we look forward to trying this case on the merits. Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”
Steve Lehotsky, deputy chief counsel for the Litigation Center of the amicus U.S. Chamber of Commerce, said, “This is just one decision from one court; it will not be the last word in the ongoing debate on these important issues. The FTC’s regulation of cybersecurity practices must provide fair notice to companies and must be clearly within the bounds of the Commission’s statutory authority. We are disappointed with the court’s contrary decision, and we will continue to support Wyndham as this litigation progresses.”
Another amicus, Chris Hoofnagle, who teaches at University of California Berkeley School of Law on the FTC’s regulation of privacy and on computer crime law, says, “Congress and the courts have long recognized that the FTC has a mandate to police any aspect of interstate commerce, except for a few statutory exclusions, and even those entities can be regulated through their contractors.”
Scott Vernick of Fox Rothschild in Philadelphia, whose practice focuses on data security issues, says the ruling means “the FTC is here to stay” and “we’re going to have to deal with them” in court on enforcement actions.
Contact the reporter at email@example.com.