Since 2012, Wyndham Worldwide has been boxing with the Federal Trade Commission (FTC) in an unprecedented bout that has forced us to take a hard look at how data security and privacy are enforced in the United States.

The international hotel enterprise is in the midst of a lawsuit on charges of violating Section 5 of the FTC Act, which prohibits deceptive and unfair practices in commerce. Between 2008 and 2010, Wyndham was victim to three major data breaches. The incidents resulted in the export of hundreds of thousands of consumers' payment card and personal information to a domain registered in Russia and more than $10.6 million in fraud loss. Allegedly, Wyndham did not have several of the essential IT controls in place to protect their data, failing to implement firewall protection, provision access appropriately, enforce strong authentication parameters, etc., and furthermore neglected to mitigate known IT vulnerabilities. As expressed in the FTC Act, "deception" is a material representation, omission, or practice that is likely to mislead the consumer acting reasonably under the circumstances. "Unfairness" is substantial injury caused to consumer that is not outweighed by countervailing benefits to the consumer and competition and could not be reasonably avoided by the consumer. Following these definitions as rubric and scrutinizing the company's data security framework that was fragmentally employed, the FTC accused Wyndham of being a delinquent custodian of sensitive information.

Instead of settling like most companies have in the past, Wyndham contested the charges, and moreover, is disputing the FTC's power to police cybersecurity. In progressing from the district court to the circuit court, the defense has posed the following questions that have poked and prodded the very fabric of American data security and privacy law:

Does the FTC have the statutory authority to bring deception and unfairness charges against companies that have failed to implement reasonable data security controls?

Wyndham argues that the sectorial and information-specific laws passed by Congress, like the Gramm-Leach-Bliley Act (GLBA) or the Fair Credit Reporting Act (FCRA), serve as the boundaries to limit the FTC's authority. Those laws would be superfluous if the FTC Act already gave the commission the power to enforce. Wyndham has also noted that the FTC has disclaimed authority to regulate Section 5 of the FTC Act on past occasions.

Does the FTC provide fair notice that sufficiently outlines what data security requirements and best practices are?

Wyndham claims that the FTC does not provide fair and formalized notice in accordance with the Due Process Clause; demanding that a substantial explanation, clarifying what the data security expectations actually are, should be established and communicated so that organizations can comply with the FTC's interpretation of Section 5 of the FTC Act.

What are legitimate and factual considerations when determining avoidable, substantial injury to consumers impacted by the data security lapses? In an exact interpretation of the word, Wyndham argues that the FTC has failed to present actual facts that demonstrate consumers have suffered "avoidable" harm.

FTC v. Wyndham marks a critical stage in the life of American data security and privacy, which is still very much in its infancy. The trial challenges the scope of the FTC's congressional authority and examines the adequacy of its enforcement procedures. If FTC wins, it would definitely affirm the commission's role as the rightful watchdog in this field. If Wyndham gets the victory, the outcome could considerably reshape the law. Some believe a decision in Wyndham's favor would be a step in the right direction towards developing a more effective and just system for both consumers and companies alike. Others feel if Wyndham prevails, it may impair Congress by crippling its principal regulatory body. Some have fears that such an outcome would undermine the United States' international reputation, particularly with the European Union who already criticizes the Safe Harbor process. Serious implications hang in the balance. Members of the data security and privacy community will certainly keep a close eye on the case as it carries on.

Avani Desai
Executive Vice President
1-866-254-000 ext 140
BrightLine CPAs & Associates, Inc.