|
April 8, 2014 - US District Judge Esther Salas gave the green light to the FTC on Monday to pursue a law suit against Wyndham Worldwide - owner of Windom Hotels - over data security standards that the agency believes are lacking. Wyndham had challenged the agency's authority to bring the suit, stating that the FTC was exceeding its authority. On the surface, the suit may benefit consumers in the short run. But upon closer look, if the lawsuit against Wyndham is successful, the FTC's actions may actually cause additional problems for consumers and businesses alike.
The FTC's lawsuit against Wyndham is nothing new. The fact that it is proceeding to court before being settled is unusual though.
The FTC filed suit against Wyndham in 2012 over data breaches that occurred between 2008 and 2010. According to the FTC, those breaches resulted in hundreds of thousands of Wyndham customers having their credit and debit card numbers stolen by hackers. The FTC is alleging that Wyndham failed to implement reasonable data security procedures to protect the consumer data stored on the company's computers.
The FTC suit is seeking a court to order Wyndham to implement strong data security standards. While that may sound good at first, it also creates a real issue for both businesses and consumers. Specifically, who would determine those standards?
The FTC has, to the best of our knowledge, never published a minimum data security standard for companies to follow. And since most judges are not IT professionals, it stands to reason that courts are ill equipped to establish data security standards that can be applied to businesses around the country.
Just as importantly, even if the FTC or a federal court does come up with a federal minimum standard for data security, then what? If companies apply that standard, will they then be shielded from consumer lawsuits in future data breaches? How often would that standard be updated and who would be responsible for updating it?
These are real issues that need to be though through and which are probably better left to Congress than they are to the courts or the FTC. For the moment at least, consumers do have the right to sue a company in civil court for damages when they are victimized in data breaches. A federal minimum standard might change that. And any minimum standard adopted today will be obsolete in six months. If anything, the hacking community has proven time and again that it is sophisticated and can adapt to new technologies almost immediately.
Wyndham has signaled that it intends to fight the FTC. Unless the FTC can show that Wyndham's data security standard was grossly negligent, everyone may be better off if the FTC loses this particular battle.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|
Identity Theft 
