Wyndham Challenges Cyber Security Reach of Federal Trade Commission

A large part of society’s current foundation in the 21st century is unquestionably built upon the storage of billions of pieces of data that can be found and transferred in mere seconds.  With this great power comes the burden of developing and implementing tight forms of cyber security to hinder the effort of a new generation of criminals whose aim it to exploit cyber security…

Wyndham Challenges Cyber Security Reach of Federal Trade Commission
By:  Jacklyn Fetbroyt

A large part of society’s current foundation in the 21st century is unquestionably built upon the storage of billions of pieces of data that can be found and transferred in mere seconds.  With this great power comes the burden of developing and implementing tight forms of cyber security to hinder the effort of a new generation of criminals whose aim it to exploit cyber security to obtain precious stored data such as consumer financial information.  This very process was put on display in one specific instance as Parsippany, New Jersey based hotel company, Wyndham Worldwide, saw itself hit with three separate hacking attacks over the last three years.  The end result was over $10.6 million in fraudulent charges from the theft of hundreds of thousands of customers’ payment information.

In a case pending in the U.S. District Court for the District of New Jersey, Newark Vicinage (docket no. 2:13-cv-01887-ES-SCM),[1] the Federal Trade Commission responded by filing suit against Wyndham Worldwide for “engaging in unfair and deceptive practices” by telling its customers that it used “standard industry practices” to protect their private information, when its maintenance of cyber security measures, according to the FTC, fell below par.  Wyndham, in its Motion to Dismiss, challenged the FTC’s authority, claiming that the FTC exceeded its enforcement powers in the realm of cyber security

Specifically, Wyndham claims that the government has not set formal expectations for cyber security and thus, it is impossible to have not adhered to such standards.  The FTC counters that Wyndham’s failure to take reasonable measures to encrypt the data they had on file and establish appropriate firewalls squarely indicates Wyndham’s violations.

The Court’s decision could impact the future of security of private companies—i.e., if the Court agrees that the FTC maintains discretion in determining what is considered adequate cyber security, companies would be forced to review—and potentially overhaul—their cyber protection measures.  On the other hand, a decision finding that the FTC exceeded its authority may cause lackadaisical measures to persist, at least until appropriate legislation regulates the industry.

The United States Chamber of Commerce recently filed an amicus brief in support of Wyndham, while a consumer group, Public Citizen, sided with the FTC.  With cyber security at the forefront in the private sector (and a buzzword in the Obama Administration), cases such as these could determine the future of American companies’ cyber security measures.


[1] The case was originally filed in the U.S. District Court for the District of Arizona but, upon a Motion to Transfer Venue by Wyndham, was transferred to New Jersey, and is now pending before the Honorable Esther Salas.

Contact Information