Wyndham Hotels has lost a motion to dismiss an FTC case alleging the hotel chain exposed consumer personal data to potential theft.
While the case, which will be sent back to a federal trial court following Monday’s ruling by a three-judge appeals panel, doesn’t directly affect advertisers, it affirms the FTC’s power to penalize companies for insufficient cybersecurity practices.
Andrew Lustigman, a partner at Olshan Frome Wolosky who represents marketers on data security issues, said that regardless of how the court case shakes out, this “establishes a standard” for the FTC to bring cases against businesses.
The FTC is putting a new burden on businesses, holding them accountable for failing to keep up with the market. Alysa Hutnik, a partner at Kelley Drye and a legal expert on consumer privacy and data security, said this case is “the first in a long time that I’ve seen where the target of the FTC isn’t a fraudster, but a well-known, big-name brand.”
Hutnik said this case, coming after a period of public awareness around data, from Edward Snowden to the Ashley Madison leak, indicates to big business that the government intends to start enforcing data practices.
While this is an “ambiguous” field, Lustigman said the FTC can potentially use Wyndham’s failed motion to dismiss as precedent to address broader cybersecurity protocols.
Wyndham found itself in the FTC’s crosshairs because it was repeatedly breached by hackers using the same strategy over a two-year period. Hutnik said the FTC is setting a standard where businesses must keep up with internal issues and market norms.
Is it fair that the FTC is suddenly cracking down? Lustigman says not, since the FTC is acting retroactively and has not issued guidance for data security standards – in stark contrast to its “painstaking detail for other industries.”
Hutnik said it’s an onerous task, as a company like Wyndham has a sprawling network of hotels, franchisees, time shares and independent property managers it must account for.
But for big brands or any digital company that manages sensitive consumer data, the appeals decision is clear about where the burden of responsibility lies for keeping pace with fraudsters and security technology.
“Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform,” Judge Thomas Ambro wrote for the appeals court.
