A hotel chain’s repeated failure to protect customers from hackers constitutes an unfair practice that subjects the company to a lawsuit by the Federal Trade Commission, a federal appeals court in Philadelphia has ruled in a decision that reinforces the agency’s authority to protect consumers from companies that backtrack on promises about privacy.
Wyndham Worldwide Corporation, which licenses its brand to roughly 90 independently owned hotels that use the company’s computerized property management system, cannot contend that federal law or the FTC’s interpretations of it failed to put the company on notice that lapses in cybersecurity on its part could lead to legal liability, according to the court.
The FTC sued Wyndham, which also franchises more than 7,600 hotels worldwide, in June 2012, charging the company with failing to protect consumers in violation of Section 5 the Federal Trade Commission Act, a century-old law that authorizes the FTC to proscribe “unfair or deceptive acts or practices” in commerce.
Three breaches of Wyndham’s property management system over two years starting in 2008 resulted in hackers obtaining payment-card information from more than 619,000 consumers and at least $10.6 million in losses from fraud, the FTC charged.
According to the FTC, Wyndham failed to use encryption, firewalls and other procedures to safeguard customers’ names, payment card account numbers, expiration dates and security codes stored in the system, notwithstanding the company’s privacy notice, which advised customers that Wyndham safeguards their personally identifiable information using industry-standard practices.
Before trial, Wyndham sought to dismiss the FTC’s claims, charging the agency with failing to support a finding of unfairness. Congress reshaped Section 5 to exclude cybersecurity, according to Wyndham, which also charged the FTC with failing to notify companies what standards to follow. U.S. District Judge Esther Salas denied Wyndham’s motion but allowed the company to appeal the ruling.
The appeals court sided with Salas. “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” wrote Judge Thomas Ambro for a three-judge panel of the U.S. Court of Appeals for the 3rd Circuit.
The government’s charges, which ranged from Wyndham’s allowing company-branded hotels to store payment card information in clear readable text, to permitting the use of easily guessed passwords to protect the property management system, to failing to restrict access to the system by third parties, embody unfairness as defined by both the FTC and Congress, the court noted.
In 1994, Congress codified a definition of unfairness adopted by the FTC 14 years earlier that defines the term as an act or practice that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Apart from the term’s plain meaning as defined by the FTC, Congress specifically declined to enumerate specific unfair practices in the law, choosing instead to leave its development to the FTC as technology and the marketplace evolve, Ambro explained.
The approach makes sense, according to Omer Tene, a professor at the College of Management School of Law in Rishon Le Zion, Israel and a visiting scholar at the Center for Internet and Society at Stanford Law School, who wrote following the ruling:
“In what could serve as a valuable lesson for European lawmakers as they mull over the details of the voluminous General Data Protection Regulation, Congress had the foresight back then to understand the futility of exhaustively listing every unreasonable practice that might arise. Firewalls, passwords and secure cloud transactions were hardly foreseeable in 1914.”
The court also rejected a claim by Wyndham that a business does not treat its customers unfairly when the business itself is victimized by hackers, a situation the company argued would be akin to allowing the government to sue a supermarket that was “sloppy about sweeping up banana peels.”
“The argument is alarmist to say the least,” wrote Ambro. “And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [Section 5.]”
The court further rejected Wyndham’s contention that it lacked notice of what specific security procedures a business must take to avoid liability. According to the court, the FTC has published enforcement actions and consent decrees that have the effect of notifying companies whether their practices treat consumers fairly. The FTC says it has settled 53 cases against companies related to data security, including Snapchat, Reed Elsevier and Credit Karma.
Ambro noted that in Wyndham’s case the facts failed to create a close call:
“As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all. Wyndham did not respond to this argument in its reply brief.” (citations omitted, emphasis in original)
Whether Wyndham realized the risks to security it faced when the first breach occurred, the company had notice by the second and third cyberattacks, Ambro noted. By now Wyndham knows, too. In its latest annual securities filing, the company described risks it faces in the realm of privacy and security:
“The legal, regulatory and contractual environment surrounding information security and privacy is constantly evolving and the hospitality industry is under increasing attack by cyber-criminals operating on a global basis. Our information technology infrastructure and information systems may also be vulnerable to system failures, computer hacking, cyber-terrorism, computer viruses, and other intentional or unintentional interference, negligence, fraud, misuse and other unauthorized attempts to access or interfere with these systems and our personal and proprietary information.”
According to experts, the ruling is significant in part because it represents the first time a company has challenged the FTC’s authority to hold companies accountable for unfair practices pursuant to Section 5.
“It’s the first Court of Appeals decision on the issue and should be viewed and taken by companies that this is a potential area of exposure,” Eric Hochstadt, a partner at Weil, Gotshal & Manges in New York, told Bloomberg. “This is definitely an area of growing concern as the underlying misconduct, data breaches, is growing in scope.”
For its part, Wyndham vows to continue the fight. “Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded,” spokesman Michael Valentino said in a statement.
The FTC welcomed the ruling. “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”