Wyndham Hotels Loses Legal Battle With Feds Over Lax Security Practices

wyndhamIf a consumer-facing company, like say a massive hotel chain, touts its dedication to the security of customer information and then does something to repeatedly put that information at risk — like storing unencrypted credit card data on barely secure networks — can they be forced to share some of the blame when hundreds of thousands of credit card numbers are stolen? The hotel chain says that would be blaming the victim, but a federal appeals court has affirmed the Federal Trade Commission’s authority to go after businesses that fail to live up to their security promises.

Back in 2012, the FTC sued Wyndham Worldwide, which operates not only its namesake hotels, but also chains like Ramada, Knights Inn, Days Inn, Travelodge, Super 8, among others.

In that complaint [PDF] it was alleged that Wyndham had violated the FTC Act’s prohibition against deceptive business practices by failing to “maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

The regulators allege that it’s deceptive for a business to woo customers by marketing that it cares about privacy, while coming up short when it comes to actually guarding customers’ privacy.

See, even though Wyndham’s websites stated things like, “We recognize the importance of protecting the privacy of individual-specific information collected about guests,” for several years the company’s hotels had lax cybersecurity practices that resulted in multiple breaches.

The complaint claims that Wyndham’s various hotels stored customers’ payment card information in unencrypted clear text, that employees were not required to use complex passwords, and the company failed to deploy firewalls and other tactics intended to reduce the likelihood of a data breach.

A 2008 breach of the local network of an Arizona Wyndham hotel led to the attacker gaining access to the Wyndham corporate network and the property management system servers of 41 Wyndham-branded hotels. The hackers installed “memory-scraping” malware on these servers and stole unencrypted account info for 500,000 payment cards.

Then in March 2009, the hotel chain was victimized by another, similar breach. This time, the attackers were able to obtain info for 50,000 credit/debit cards. That same year, a third breach put 69,000 consumer payment card accounts in the hands of the criminals who sold the data or used it to make fraudulent purchases.

The FTC alleges that, Wyndham’s failure — contrary to its publicly stated dedication to privacy — “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.”

Wyndham argues that the FTC does not have the authority to punish a business for having lax cybersecurity practices. The hotel chain contends that allowing the regulatory agency to sue a hotel — as opposed to the hacker — over a data breach would also give the FTC the right to sue a supermarket for being “sloppy about sweeping up banana peels.”

In an opinion [PDF] from a three-judge panel for the Third Circuit Court of Appeals, the court didn’t seem terribly won over by this analogy.

The banana peel argument is “alarmist to say the least,” reads the opinion. “And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under” the FTC Act.

Wyndham also pulled out the dictionary to take issue with the definition of the word “unfair,” citing Webster’s as defining a practice as “unfair” only if it is “not equitable” or is “marked by injustice, partiality, or deception.” To the hotel operators, there was no malice on its part, but this failed to convince the judges.

“A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” reads the opinion.

The judges also shot down Wyndham’s contention that it should not be punished just because the company had a different cybersecurity standard than the FTC expects.

Once again, the opinion rends the hotel chain’s argument, noting that “the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points… did not restrict specific IP addresses at all… did not use any encryption for certain customer files… and did not require some users to change their default or factory-setting passwords at all.”

The court might have accepted the contention that Wyndham should not be held responsible for the behavior of hackers if there had only been one attack before the company did something to beef up its practices.

“At least after the second attack, it should have been painfully clear to Wyndham” that it couldn’t use a cost-benefit justification for explaining away a lax security system.

In a statement, FTC Chair Edith Ramirez says the appeals court ruling “reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

Meanwhile, Wyndham tells the Wall Street Journal that “we believe the facts will show the FTC’s allegations are unfounded,” and that “safeguarding personal information remains a top priority for our company.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.