Wyndham Case May Mean Uncertainty for New Payment Providers

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By Kery Murakami

Sept. 16 — Wyndham Hotels & Resorts LLC’s appeal of a Federal Trade Commission (FTC) complaint against the hotel chain for alleged lax data protection practices is being watched closely by banking officials who say it could lead to uncertainty over cybersecurity regulations for emerging technologies such as mobile wallets and digital payments.

The case could also lead to uncertainty for banks and other financial institutions should Congress apply a proposed national data security standard to banks, said Scott Talbott, senior vice president of government affairs for the Electronic Transactions Association. Banks would be exempted from any new national standard because they are currently subject to Gramm-Leach-Bliley data security and notification requirements. But retailers are pushing for the removal of the exemption, potentially making them subject to a national standard that would be enforced by the FTC.

The U.S. Court of Appeals for the Third Circuit on Aug. 24 affirmed the FTC’s authority to sanction businesses for “unfair” business practices based on unreasonably weak data security practices (FTC v. Wyndham Worldwide Corp., 3d Cir., No. 14-3514, 8/24/15). According to the FTC, Wyndham’s procedures contributed to three breaches that gave hackers access to the payment card information of more than 619,000 consumers, resulting in at least $10.6 million in fraudulent transactions.

The court, in denying Wyndham’s motion to dismiss the case, ruled the FTC did not necessarily need to say in advance what businesses are required to do to protect data, legal experts told Bloomberg BNA. That gives the agency wide authority to determine what exactly constitutes an unfair practice and creates uncertainty for businesses of what they're supposed to do.

At a minimum, “the court said you’re on notice as to what sorts of things would be unfair,” Glen Kopp, former assistant U.S. Attorney in the Southern District of New York, and now a partner with Bracewell & Giuliani LLP, told Bloomberg BNA. “But the FTC did not define the outer limits of what they’ll consider unfair.”

The court decision “does not require the FTC to provide ‘ascertainable certainty’ as to how it will determine reasonable security practices or the conduct that will trigger enforcement actions, outside of egregious circumstances,” Christin McMeley, chair of Davis Wright Tremaine LLP’s privacy and security practice, told Bloomberg BNA in an e-mail.

In the absence of a national data security standard, the ruling could leave some alternative payment and mobile payment providers not covered by the Gramm-Leach-Bliley Act cybersecurity requirements, uncertain of which practices could run them afoul of the FTC, Talbott said.

Talbott, whose association includes alternative payment providers such as PayPal and Google, declined to detail specific companies that could be impacted. A number of non-banking companies, including PayPal and Prosper, did not respond to e-mails seeking comment.

The case's full impact will ultimately depend on what happens next. The federal court did not address whether Wyndham's practices were unfair, ruling only whether the case should be thrown out because the FTC had not given proper notice of the possibility of sanctions by laying out what was required. The question of whether Wyndham’s practices were insufficient will now be considered by the U.S. District Court for the District of New Jersey, unless the case is settled. Wyndham attorneys did not respond to a request for comment.

Implications For Banks

On the surface, the case does not affect banks and other financial institutions covered under Gramm-Leach-Bliley, attorneys and banking officials said. But it someday could.

The case comes as several data security bills in Congress propose creating a national standard, with some requiring businesses to take “reasonable measures,” while others simply require creating and implementing a plan. Whether business meet the requirements would be interpreted and enforced by the FTC, a Senate aide said.

The bills for now exempts those subject to Gramm-Leach-Bliley from the standard, but the National Retail Federation is pushing for the exemption to be removed, subjecting financial institutions to current regulations plus a national standard. The uncertainty of the Wyndham case only “raises the stakes” on preserving the Gramm-Leach-Bliley exemption, Talbott said.

“Why should financial institutions have to live by two sets of rules?” American Bankers Association senior vice president and senior advisor for risk management policy, Doug Johnson, told Bloomberg BNA Sept. 10.

But in pushing for the elimination of the Gramm-Leach-Bliley exemption, National Retail Federation senior vice president and general counsel Mallory Duncan told members of the Senate Commerce Committee Feb. 5, “Exemptions for particular industry sectors not only ignore the scope of the problem but create risks criminals can exploit.”

Unfair Practice

In ruling against Wyndham, the circuit court found that even if the FTC hadn’t laid out its requirements, the Federal Trade Commission Act allows the agency to take action against an “unfair practice,” defined as one causing substantial injury to customers that’s not outweighed by any benefits to customers or to competition.”

According to the court decision, Wyndham hotels were hacked three times in 2008 and 2009, beginning with the network of a hotel in Phoenix, in which hackers were able to obtain unencrypted information for more than 500,000 accounts, which they sent to a domain in Russia.

In the second cyberattack, in March 2009, hackers used the same malware as in the first attack, the FTC said. The second attack was also not discovered by Wyndham for two months, until customers began filing complaints about fraudulent charges, the agency said. Because Wyndham had not monitored its network for the malware used in the first attack, “hackers had unauthorized access to [its] network for approximately two months,” the FTC’s complaint against Wyndham said.

In the third attack, hackers were able to gain access to the networks of multiple Wyndham hotels after accessing one of them, because the company hadn’t walled off access between the hotels, the FTC said. As a result, the FTC said hackers obtained payment card information for an additional 69,000 customers at 28 hotels. Wyndham’s failure to take a number of steps—including not following proper incident response procedures by monitoring for the malware used in the first attack, and not using readily available security measures such as firewalls between the hotel networks—constituted an “unfair practice.” The FTC also said Wyndham stored payment card information in clear readable text, and allowed the use of easily guessed passwords.

Despite the absence of clear requirements, “it should have been painfully clear to Wyndham” that a court could find its conduct as unfair under the FTC Act, particularly after the hotel chain was breached a second time, the circuit court said.

Questions Remain

While the circuit court suggested Wyndham was on clear notice that its practices could be deemed unfair, how the standard will be applied in other contexts remains any open question, said Janis Kestenbaum, a former FTC senior legal advisor who is now a partner with Perkins Coie LLP.

“What ‘unfair’ cybersecurity will mean in any given case is a big question. There is a lot of uncertainty,” Kestenbaum said.

The FTC also tends to act on a case-by-case basis, she said. However, it's unlikely the agency will require more than the regulations created to implement Gramm-Leach-Bliley, because the agency tends to point to those rules in cybersecurity cases, Kestenbaum said.

In the ever-changing cybersecurity world, it will be difficult to lay out specific requirements, Craig Carpenter, a member of Thompson & Knight LLP’s data privacy and cybersecurity team, told Bloomberg BNA.

“It would be difficult to develop and implement a ‘standard’ for data security that has any more specificity than the Court’s analysis in this opinion,” he said. “The opinion shows that the Court is comfortable” with using the definition of an unfair practice “as an appropriate measuring stick for security standards.”

McMeley, though, said it’s important for regulatory agencies to give businesses a clear idea of what’s expected, given the potential civil penalties and reputational harm that is at stake. For now, the FCC appears to be focusing on the most “egregious” cases to make examples of bad practices, she wrote in a Sept. 9 Bloomberg BNA Insights piece. “But when do political pressures dictate that other, more borderline cases, be taken by the FCC or another agency?”

To contact the reporter on this story: Kery Murakami in Washington at kmurakami@bna.com

To contact the editor responsible for this story: Seth Stern at sstern@bna.com