Three years ago, the Federal Trade Commission brought a groundbreaking legal action against hotel giant Wyndham Worldwide — which includes the Ramada, Days Inn and Super 8 Motel brands — for failing to protect its customers’ personal information, including credit and debit card numbers.
The FTC took this action following 3 major data breaches by Russian hackers affecting more than 600,000 credit and debit cards of Wyndham customers. Now, Wyndham and the FTC have agreed to a settlement that, among other things, will subject Wyndham to annual security audits for the next 20 years.
‘Sloppy about…banana peels?’
Wyndham had earlier argued in court that the FTC did not have the authority to punish a business for having lax security practices and further argued that the FTC was punishing the victim and not the perpetrator of the data breach. Wyndham argued that punishing the hotel chain was akin to taking legal action against a supermarket for being “sloppy about sweeping up banana peels.”
The judges were not swayed. They wrote in an opinion supporting the FTC that Wyndham’s argument “invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under the FTC Act.”
Wyndham also argued that it should not be punished because its standards for cybersecurity were different from that of the FTC. Again, the judges were unconvinced, writing, “The complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points…did not restrict specific IP addresses at all…did not use any encryption for certain customer files… and did not require some users to change their default or factory-setting passwords at all.”
Having lost in its attempts to have the legal action dismissed, Wyndham agreed to the settlement rather than continue the litigation with little chance of success.
This is a major victory for consumers and a warning to companies that they must do more than give lip service to cybersecurity and protecting the personal information of their customers.
As FTC Chair Edith Ramirez said following announcement of the settlement, “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security. Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”
There is little that we as individual consumers can do to encourage companies to do a better job of protecting our personal information, although lawsuits against firms with negligently inadequate security is a start. However, having the weight of the federal government come to bear on companies on behalf of consumers is a very positive development.
Steve Weisman is a lawyer, a professor at Bentley University in Waltham, Massachusetts, author of “Identity Theft Alert” and editor of the blog Scamicide.com.