Posted on 28 May 2013 by Neilson
The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp.
We wrote about Wyndham's challenge earlier this month in a case involving attacks by hackers on the hotel chain's computer systems between 2008 and 2010. The FTC sued Wyndham last year for allegedly lax data security that let hundreds of thousands of credit-card numbers get stolen. The company said the government was unfairly seeking to punish the victim of the crime instead of the hackers who perpetrated it.
Now the FTC is firing back, arguing in a new court filing that corporations that collect consumer data bear responsibility for protecting it.
"The FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers' information such that hackers were able to steal it," the agency said in a court filing this week.
In a battle of analogies, Wyndham argued the FTC suit was "the Internet equivalent of punishing the local furniture store because it was robbed and its files raided."
The FTC's new filing offered a different picture. "A more accurate analogy would be that Wyndham was a local furniture store that left copies of its customers' credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information."
A Wyndham spokesman didn't immediately respond to a request for comment. The company has said it worked with law- enforcement agencies, hired computer forensic experts and took several remedial measures to address the security issues after the hacking.
The case, unfolding in a Newark, N.J., federal court, could set important precedent on the ability of the FTC to use its consumer-protection powers to encourage good corporate data-security practices.
Wyndham and its backers in the business community say companies shouldn't be exposed to a potential government lawsuit anytime they face a cyberattack.
The FTC's supporters say that Congress hasn't addressed corporate cybersecurity in a comprehensive way, leaving the agency to fill the breach. In their latest brief, FTC lawyers said the agency had long-established power to protect consumers from identity theft and other harm flowing from inadequate data security.
U.S. District Judge Esther Salas is considering a Wyndham motion to dismiss the FTC lawsuit. She said in a recent docket entry that she would consider Wyndham's motion next month and render a decision based on the written briefs, without oral argument.