Unwanted hotel charges: Wyndham claims FTC overreach in data breach lawsuit

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.nj.com/business/index.ssf/2013/06/hotel_charges_wyndham_chain_fi.html

When cyber thieves broke into a data network of hotel conglomerate
Wyndham Worldwide, they unwittingly tripped one loud alarm: over the
federal government’s role in dictating corporate cybersecurity.

The Federal Trade Commission last year sued the Parsippany-based hotel
chain over three cyber attacks that hit it in the span of less than
two years, causing the theft of payment-card data for hundreds of
thousands of customers and more than $10.6 million worth of fraudulent
charges.

The FTC accused Wyndham of engaging in unfair and deceptive practices.
Specifically, the agency said the hotel operator told customers it
used "standard industry practices" to protect their private
information, when it in fact its steps were not reasonable or
appropriate in the agency’s eyes.

The FTC has brought and settled similar cases with other companies.
But the Wyndham case is set apart by the fact that it has decided to
fight back, legal experts say. In court papers, the company has urged
a federal judge in Newark to dismiss the FTC’s case on the grounds
that the agency has overstepped its authority. Principally, attorneys
for Wyndham say the FTC does not have the authority to set the
standards of a company’s data security, which they say it is
effectively doing by way of this enforcement action.

On June 17, District Court Judge Esther Salas is expected to rule on
Wyndham’s request to dismiss the case, or let it proceed as the FTC
wants. Her ruling will be closely watched by corporate boardrooms,
data security consultants and consumer advocates.

'Must-win'

Depending on the outcome, the FTC could see its enforcement efforts on
cybersecurity cut back. Or it could end up walking away with expanded
powers.

No authority such as Congress or the courts have formally decreed the
FTC with power over cybersecurity, noted Eric Goldman, a professor at
Santa Clara University’s School of Law and director of its High Tech
Law Institute. Rather, the agency has deputized itself to police this
field.

"The FTC views this as a gap that needs to be filled and they’re going
to fill it. No one has fought back," he said.

At least until now.

"This is a must-win battle for the FTC," Goldman said. "They’ll fight
until they win or until someone says ‘you’re done.’"

The Wyndham case comes at a critical time. The federal government and
private sector are grappling with a surge in cyber crime and attacks
targeting entities from retailers to major banks and from universities
like the Massachusetts Institute of Technology to government agencies.
Congress and the Obama administration have struggled to come to terms
with how to resolve the loose patchwork of laws that govern
cybersecurity.

The FTC’s case against Wyndham revolves around the fact that it told
customers it was using "commercially reasonable" measures to keep
their data safe. That turned out to not be the case, the FTC alleged,
when hackers exploited a weakness in a Wyndham-branded hotel network
that allowed them to burrow deep into the corporate network of a
Wyndham subsidiary and export customer data to Russia. Part of the
reason the hackers were so successful, the FTC argues, was the fact
that Wyndham did not take steps such as encrypting sensitive data,
requiring complex passwords or erecting firewalls between different
levels of the company’s network.

Shots across the bow

Wyndham does not dispute that it was hacked. But in court filings it
argues that the FTC has stretched its enforcement powers to extend to
cybersecurity. "The FTC is not waiting for the political process to
determine the proper scope and contours of cybersecurity regulation,"
its attorneys wrote in late April.

The company goes on to warn that the government agency is effectively
putting companies into a blind spot by taking an enforcement action
without first laying down rules or formal guidance on what security
practices it expects. It also said the agency is punishing Wyndham
when it itself is a victim.

"This is the Internet equivalent of punishing the local furniture
store because it was robbed and its files raided," attorneys for the
hotel chain wrote.

The FTC shot back two weeks ago with a filing that opposed Wyndham’s
request to dismiss its case. Among other things, it threw the hotel
chain’s "furniture store" metaphor on its head by saying it is more
like Wyndham left its doors unlocked and customers’ information on the
counter only to be shocked to find it had been burglarized overnight.

"The FTC is not suing Wyndham for the fact that it was hacked, it is
suing Wyndham for mishandling consumers’ information such that hackers
were able to steal it," the agency said in its April 20 filing.

The case has drawn attention from outside parties. The U.S. Chamber of
Commerce, for example, filed a brief to support Wyndham’s arguments,
while Public Citizen, a consumer watchdog, has rallied to the side of
the FTC.

An FTC victory would force companies that collect and stockpile
sensitive customer data in their ordinary business to re-examine how
they are keeping it safe, watchers say. One of the main focuses will
be how Judge Salah rules on the FTC’s "unfairness" charge against
Wyndham, said Goldman, the Santa Clara University law professor. While
"deception" is a relatively straightforward legal term, the meaning of
unfair is much less clear, he said.

"Unfair – what is unfair?," Goldman said. "All the sudden, the FTC
could be second-guessing every business’s decisions in the
marketplace."

Carl Herberger, vice president at Radware, a cybersecurity firm that
has its U.S. headquarters in Mahwah, notes that the FTC has taken
action against firms over their cybersecurity in only a handful of
instances — 40 times in the past dozen or so years by the FTC’s count
— and only after a major break-in.

He added that if Wyndham emerges a victor, it may inspire other
companies to dial back on how much they spend on cybersecurity.

"It would probably take the foot off the gas pedal for many
institutions on improving their security programs," he said.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.