The Bigger Issue Behind FTC v. Wyndham

Last week a federal court made the decision to endorse the Federal Trade Commission’s power to hold companies accountable if they fail to provide “reasonable protections” and cybersecurity measures.

Last week a federal court made the decision to endorse the Federal Trade Commission’s power to hold companies accountable if they fail to provide “reasonable protections” and cybersecurity measures.

This move was seen as good news for consumer privacy but bad news for businesses like Wyndham Worldwide, which is currently embroiled in a legal battle with the FTC over its alleged failure to take the necessary actions to protect its customers’ data.

But without providing companies with rigorous guidelines for effective data security practices, is it fair to punish them when things go awry?

We are living in a world of increasingly sophisticated cyber threats with an absence of clear and concise cybersecurity guidance.

In the case of Wyndham Worldwide, the FTC’s standing lawsuit seeks to prove the hotel chain should be held responsible for a series of data breaches spanning three years. Subsequently, the hackers were able to make off with roughly 620,000 credit and debit card numbers,and the FTC said the hacks led to more than $10 million in losses tied to fraud.

In a release following the court’s ruling last week, FTC Chairwoman Edith Ramirez stated that the result “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical,” continued the chairwoman, “that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

For Wyndham, the first instance of stolen payment data happened in April 2008, when a hacker was able to guess the password for an administrative account and connect to the network of a Wyndham-owned hotel in Phoenix. Nearly a year later in March 2009, another intruder not only gained access to hotel chain’s customer information but also altered the company’s system to generate files of the payment card account numbers of its guests. Later that year, even more sensitive payment data was stolen through yet another breach.

Josephine Wolff, an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at Harvard’s Berkman Center for Internet and Society, explained in her article for Slate that while none of the attacks were especially noteworthy in and of themselves, the most significant part of the case is that the hotel chain fought back against the FTC.

The company, along with backers like the U.S. Chamber of Commerce and National Federation of Independent Business, argue that the FTC has overstepped its boundaries and level of authority, The Washington Examiner reported.

There are clear concerns about leaving the FTC to judge whether a company’s security efforts are adequate, especially when there are no strict rules or guidelines to compare them to.

As Wolff points out, the idea of such guidelines being made poses its own set of difficulties.

Even security experts tend to show a difference of opinion when it comes to identifying which cybersecurity practices should be deemed “reasonable” versus “unreasonable.” Different types of companies handle various forms of sensitive data, which ultimately has to be protected in a myriad of ways. There is clearly no one-size-fits all solution to carving out a standard to which all companies should be held when it comes to the breadth of cybersecurity protects they provide consumers.

[bctt tweet=”Can we hold businesses accountable for the cybersecurity rules we never set?”]

According to Fortune, the blame should really lie with Congress as opposed to the regulatory agency, as they have continued to ignore pleas to implement laws around data privacy. Earlier this year the FTC released a report urging the adoption of best practices to address the growing concerns surrounding consumer privacy and security risks.

But it seems for now, while businesses await the creation of a more solidified set of defined cybersecurity guidance, they should ensure the measures they have in place are holding up.

For more on the digital identity ecosystem, click here to take a look at PYMNTS’ Digital Identity Tracker (powered by Oberthur Technologies), which helps identify the issues and trends that arise around the digital identity ecosystem.