By Ryan Mowery

Last week, the FTC filed suit in federal court against global hospitality firm Wyndham Worldwide Corporation in connection with a series of data breaches affecting Wyndham and its subsidiaries between 2008 and 2010.  The complaint alleges that Wyndham misrepresented the security measures it employed to protect consumers’ personal information and that consumers were harmed by Wyndham’s failures to provide reasonable security for that information.  The FTC asserts that the alleged misrepresentations amounted to “deception” in violation of Section 5 of the FTC Act, while the failure to employ reasonable security measures violated the FTC Act’s prohibition against “unfair” acts. 

According to the complaint, the Wyndham Hotels and Resorts privacy policy has claimed since 2008 that Wyndham “recognize[s] the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our websites, and members participating in our Loyalty Program . . . .” Wyndham’s privacy policy further stated that the company used reasonable efforts to protect consumers’ sensitive data, including the use of “firewalls” and other safeguards. 

The FTC alleges that, notwithstanding these representations, Wyndham (among other things) failed to use strong passwords, failed to properly separate corporate and hotel computer systems, and improperly stored payment card information in clear text.  Allegedly as a result of these failures, intruders accessed consumers’ sensitive data on three separate occasions over two years, which led to $10.6 million in fraudulent charges on consumers’ accounts. 

Although the FTC has previously initiated 32 actions under Section 5 against companies for alleged violations of privacy, none of those have been litigated in federal court and all have been resolved by settlements.  The FTC’s decision to file suit against Wyndham in the District of Arizona thus represents a new frontier of the Commission’s enforcement activity in connection with privacy and data security. 

Also noteworthy is the fact that while the Commission voted 5-0 to authorize staff to file the complaint, Commissioner J. Thomas Rosch dissented from Count 2, which charged Wyndham with engaging in “unfair” practices.  Commissioner Rosch’s dissent in Wyndham follows his dissent from the issuance of the FTC’s recent report on consumer privacy, in which Rosch voiced reservations about what he perceived as an undue expansion of the Commission’s understanding of the meaning of “unfairness.”  As Rosch explained, while the Commission has traditionally enforced Section 5’s unfairness prong only where there is a tangible harm to consumers, the FTC’s report appears to promote an understanding of the term that would cover intangible “injuries,” such as harm to one’s reputation. 

Wyndham has vowed to fight the FTC’s suit, which means that, at some point, the court may weigh in on the meaning of unfairness.  This is just one of many reasons we will be watching this case closely.