Wyndham Worldwide Corp, the holding company for Wyndham Hotels and Resorts, RCI and other lodging brands, suffered three attacks on its computer networks in 2008 and 2009. Consequently, the Federal Trade Commission (FTC), an independent agency of the United States with a principal mission of consumer protection, filed suit alleging Wyndham’s failure to protect the private data of more than 619,000 consumers amounted to unfair and deceptive practices. Wyndham, in response, filed a motion to dismiss the suit while challenging the FTC’s cybersecurity regulatory authority.
Last month, the US Circuit Court of Appeals in Philadelphia upheld an April 2014 district court ruling that allowed the FTC to pursue the lawsuit.
Expect Increased Regulatory Scrutiny
The FTC has been active in seeking to address data security issues and this ruling confirms it has the authority to do so. After the 2014 district court ruling, the FTC said, “The touchstone of the Commission’s approach to data security is reasonableness: a company’s data security measures must be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business, and the cost of available tools to improve security and reduce vulnerabilities.”
Some believe the FTC will “look to increase its regulatory activity in this area now that its authority has been upheld.” Companies which fail to protect the data they hold can run afoul the FTC for unfair trade practice. And without a clear definition of the term “reasonable,” it is uncertain just how many companies can end up in the crosshairs of the agency.
Understand Insurance Implications
With each data breach and legislative action, it becomes increasingly important that any organization holding sensitive information be vigilant in safeguarding it. As hackers continue to up their game, it becomes even more likely that organizations will be breached at some point. In addition to taking the necessary steps to protect data and having appropriate procedures in place in the event of an attack, it’s also prudent that companies review their Cyber Liability insurance coverage and familiarize themselves with the resources available to respond to an investigation or lawsuit by the FTC.