Data Security and privacy lawyers around the country have been closely monitoring the matter of FTC v. Wyndham Worldwide Corp pending in the 3rd Circuit. The case arose over multiple data breaches suffered by Wyndham and its customers in 2008 and 2009. Over $10 million fraudulent charges were booked as a result. Wyndham faced civil litigation from consumers and shareholders alike. Additionally, the FTC brought an action under its broad authority to pursue civil damages and injunctive relief for unfair business practices. While a generalized term, unfair business practices under the FTC Act requires harm to consumers. The FTC has reasoned in recent years that lax cybersecurity meets this standard because data breaches cause consumer harm.
It is worthwhile to keep in mind the facts that gave rise to the FTC’s action against Wyndham. The FTC alleged that the aforementioned breach was caused by Wyndham’s nonchalant cyber security policies. For example, Wyndham did not adequately protect the passwords to its property management system. Rather than using complex passwords including numbers and caps, Wyndham protected its system with easily guessed passwords. Additional bad facts for Wyndham include its practice of storing consumer’s payment information in plain, readable, unencrypted text. This is a big sin in the security world. Finally, Wyndham failed to implement industry standard privacy protections such as firewalls and segmented data storage.