Wyndham Hotels Still Under Fire Over Hacking

     (CN) - The Federal Trade Commission may have a case against Wyndham Worldwide Hotels after Russian hackers cost consumers more than $10.6 million, a federal judge ruled.
     In its 2012 complaint, the FTC alleged that the "failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks," managed by Wyndham and its subsidiaries, "on three separate occasions in less than two years."
     Regulators said Wyndham failed to use firewalls or complex passwords, while storing credit card information in clear readable text and letting hotels connect insecure outdated servers to its network from April 2008 through January 2010.
     That allegedly led to "more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to a domain registered in Russia."
     Wyndham discovered the security breaches after customers complained of fraudulent credit card charges, the FTC said. More than 619,000 credit card numbers were compromised.
     The complaint, which was transferred from Phoenix, Ariz., to Newark, N.J., accuses the hotel chain of unfairly and deceptively advertising that it used industry-standard security to protect guests' personal information.
     In its latest motion to dismiss, Wyndham argued that the FTC lacks authority to assert an unfairness claim in the data-security context under the Supreme Court's 2000 ruling in FDA v. Brown & Williamson Tobacco Corp.
     U.S. District Judge Esther Salas last week called it "unchartered territory" to have her "carve out a data-security exception to the FTC's authority" in making it publish regulations before filing an unfairness claim.
     In Brown & Williamson, the Supreme Court explained that "Congress, for better or for worse, has created a distinct regulatory scheme for tobacco products, squarely rejected proposals to give the FDA jurisdiction over tobacco, and repeatedly acted to preclude any agency from exercising significant policymaking authority in the area," Salas quoted.
     "But no such dilemma exists here," she added. "Hotels and Resorts fails to explain how the FTC's unfairness authority over data security would lead to a result that is incompatible with more recent legislation and thus would 'plainly contradict congressional policy.'"
     The line is one of 14 in the opinion where Salas noted her added emphasis.
     She said the FTC need not broadcast regulations before claiming unfairness.
     "Although Hotels and Resorts reasonably contends that the 'digital age is moving much more quickly [such that] the timeframe here is compressed,' the public record here is unlike the lengthy, forceful history of repeated and consistent disavowals in Brown & Williamson," the opinion states. "Thus, even accepting that the FTC shifted its stance on data security, this cannot limit its authority without more."
     The FTC adequately pleaded claims of unfairness and deception, according to the ruling.
     "To be sure, the court does not render a decision on liability today," Salas wrote. "Instead, it resolves a motion to dismiss a complaint. A liability determination is for another day. And this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the court denies a motion to dismiss given the allegations in this complaint - which must be taken as true at this stage - in view of binding and persuasive precedent." (Emphases in original.)