Wyndham found itself in the FTC’s crosshairs because it was repeatedly breached by hackers using the same strategy over a two-year period. Hutnik said the FTC is setting a standard where businesses must keep up with internal issues and market norms.
Is it fair that the FTC is suddenly cracking down? Lustigman says not, since the FTC is acting retroactively and has not issued guidance for data security standards – in stark contrast to its “painstaking detail for other industries.”
Hutnik said it’s an onerous task, as a company like Wyndham has a sprawling network of hotels, franchisees, time shares and independent property managers it must account for.
But for big brands or any digital company that manages sensitive consumer data, the appeals decision is clear about where the burden of responsibility lies for keeping pace with fraudsters and security technology.
“Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform,” Judge Thomas Ambro wrote for the appeals court.