Over the past couple of years, we’ve have been following and blogging about the data breach that occurred at Wyndham Hotel Group and the resulting lawsuit that the Federal Trade Commission (FTC) filed against the hotelier. We feel this is a very important issue because of the escalating risks of cyber attacks and the potential far-reaching implications being decided in the Wyndham case.
To recap, during 2008-2010, Wyndham had several data breaches occur and was subsequently sued by the FTC for allegedly misrepresenting the security measures they had in place, which were designed to have prevented the hacker intrusions. In 2013, Wyndham asked that he lawsuit to be thrown out back, and this past Monday a federal court ruled that the FTC has the power to sue companies that fail to protect their customers’ data. The ruling, in essence, turned down a challenge from Wyndham Hotels, which argued that the FTC overstepped its authority with a 2012 lawsuit against the global hotel chain.
Many are seeing the decision by U.S. District Court Judge Esther Salas as major win for the FTC. If the court had sided with Wyndham, it would have stripped the federal government of oversight of data security practices just as we’re seeing hackers increasingly pulling off more high-profile attacks (think Target’s holiday mega data breach, which the FTC is currently investigating; and, more recently, the University of Maryland’s breach of more than 309,000 records).
Salas, however, did indicate that her decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked,” but that she must follow the “binding and persuasive precedent” to uphold the agency’s authority.
The FTC, in fact, has sued dozens of companies in recent years for failing to take reasonable steps to protect customer data. The agency says it has the authority to police data security practices under the power Congress granted it over “unfair” business practices.
The FTC suit against Wyndham alleges that the hotel chain did not use basic security measures such as firewalls, complex passwords, or separating networks in different locations. As a result, hackers were able to penetrate a computer network in a Wyndham hotel in Phoenix and ultimately access information on 500,000 credit cards.
Wyndham asked the federal court to throw out the suit, arguing that inadequate data security practices aren’t “unfair” under the legal definition. The company also claimed the FTC should have published clear rules on data security before filing suit.
In response to the judge’s ruling, Michael Valentino, a Wyndham spokesman, noted that the decision is limited to the FTC’s power and does not address whether Wyndham broke the law. “We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security,” he said. “We intend to defend our position vigorously.”
The Wyndham data breach incident and others highlight how organizations are battling to keep up with the increased sophisticated methods hackers are using to penetrate computer systems to access data. It also puts the spotlight on the robust measures businesses need to take to prevent such cyber crimes as well as the consequences they face if these measures are deemed not sufficient enough. Not only do firms face the costs of the breach, which include client notification, forensics to vet the problem, credit monitoring expenses, defense costs, third-party liability judgments, reputational damage, among others, they also face potential penalties, fines and lawsuits from the federal government.
IPOA recognizes the challenges insureds face regarding cyber exposures. As such, we have made available with Data Breach coverage under our HotelPro program. The coverage will pay the expenses related to breach notification and credit monitoring services with separate coverage limits for third party claims; breach response coverage for forensic and legal assistance, and notification costs; bureau credit monitoring services; and crisis management sublimit for public relations; separate limit of liability for privacy, network security and media claims; and more. The policy also includes a $100,000 PCI sublimit. Our brokers can obtain premium indications for the coverage on-line – just click here.
Sources: National Journal On-line, Business Insurance