Wyndham Worldwide Corp., the hotel franchiser, must exchange pretrial evidence with the U.S. Federal Trade Commission, which sued the company over computer security lapses after hackers stole data on more than 619,000 consumer payment card numbers, a judge ruled.
The company asked U.S. District Judge Esther Salas to hold the case in abeyance while she weighs the company’s motion to dismiss it on grounds that the FTC lacks authority to regulate data security. Salas refused to grant a stay in federal court in Newark, New Jersey, where she heard arguments today.
“There is a need to move this case forward,” Salas said at the end of a hearing spanning more than five hours. “I am going to do my best to get an opinion issued rather quickly.”
Wyndham, the franchiser of Days Inn hotels and Super 8 motels, is the first to challenge the agency’s authority to regulate data security as an “unfair” act or practice under the Federal Trade Commission Act. The case could affect the U.S. government’s ability to pressure private companies to maintain proper data security practices, according to privacy scholars.
The FTC first sued Wyndham and three subsidiaries in June 2012, claiming that security lapses permitted hackers to breach company computers three times between 2008 and 2009.
In an amended complaint, the agency said the breaches caused the compromise of more than 619,000 card accounts, export of many of those account numbers to a domain registered in Russia, fraudulent charges on many accounts, and more than $10.6 million in fraud loss.
Wyndham, based in Parsippany, New Jersey, argued that Congress never gave the FTC authority to regulate data security practices. The agency has brought 21 data security cases since 2000 alleging unfair practices. Most ended in consent decrees that were not litigated.
The company’s attorney, Eugene Assaf, told Salas that the FTC has issued no rules or regulations guiding companies on protecting data from hackers.
“I have no quarrel, your honor, that data security is a very important issue,” Assaf said. “My quarrel is that the FTC actually isn’t the agency that is supposed to be doing it. They are supposed to be, and I would make the argument as a policy matter that the resources of this agency historically and brilliantly have been used to protect consumers from scammers, thieves and deceivers.”
Assaf also said the agency failed to provide fair notice of what companies must do to provide data security.
In response, agency attorney Kevin Moriarty said the FTC has the authority to act to protect consumers, and it has issued guidelines for businesses on how to protect data.
“Based on the allegations in our complaint, Wyndham wasn’t even complying with those rudimentary guidelines,” Moriarty said.
The case is Federal Trade Commission v. Wyndham Worldwide Corp., 13-cv-01887, U.S. District Court, District of New Jersey (Newark).