Home Data FTC Sets Ambitious Precedent On Cybersecurity Standards

FTC Sets Ambitious Precedent On Cybersecurity Standards


wyndhamWyndham Hotels has lost a motion to dismiss an FTC case alleging the hotel chain exposed consumer personal data to potential theft.

While the case, which will be sent back to a federal trial court following Monday’s ruling by a three-judge appeals panel, doesn’t directly affect advertisers, it affirms the FTC’s power to penalize companies for insufficient cybersecurity practices.

Andrew Lustigman, a partner at Olshan Frome Wolosky who represents marketers on data security issues, said that regardless of how the court case shakes out, this “establishes a standard” for the FTC to bring cases against businesses.

The FTC is putting a new burden on businesses, holding them accountable for failing to keep up with the market. Alysa Hutnik, a partner at Kelley Drye and a legal expert on consumer privacy and data security, said this case is “the first in a long time that I’ve seen where the target of the FTC isn’t a fraudster, but a well-known, big-name brand.”

Hutnik said this case, coming after a period of public awareness around data, from Edward Snowden to the Ashley Madison leak, indicates to big business that the government intends to start enforcing data practices.

While this is an “ambiguous” field, Lustigman said the FTC can potentially use Wyndham’s failed motion to dismiss as precedent to address broader cybersecurity protocols.

Wyndham found itself in the FTC’s crosshairs because it was repeatedly breached by hackers using the same strategy over a two-year period. Hutnik said the FTC is setting a standard where businesses must keep up with internal issues and market norms.

Is it fair that the FTC is suddenly cracking down? Lustigman says not, since the FTC is acting retroactively and has not issued guidance for data security standards – in stark contrast to its “painstaking detail for other industries.”

Hutnik said it’s an onerous task, as a company like Wyndham has a sprawling network of hotels, franchisees, time shares and independent property managers it must account for.

But for big brands or any digital company that manages sensitive consumer data, the appeals decision is clear about where the burden of responsibility lies for keeping pace with fraudsters and security technology.

“Wyndham cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform,” Judge Thomas Ambro wrote for the appeals court.

Must Read

Nope, We Haven’t Hit Peak Retail Media Yet

The move from in-store to digital shopper marketing continues, as United Airlines, Costco, PayPal, Chase and Expedia make new retail media plays. Plus: what the DSP Madhive saw in advertising sales software company Frequence.

Comic: Ad-ception

The New York Times And Instacart Integrate For Shoppable Recipes

The New York Times and Instacart are partnering for shoppable recipe videos.

Experian Enters The Third-Party Data Onboarding Business

Experian entered the third-party data onboarder market on Tuesday with a new product based on its Tapad acquisition.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Albertsons Takes Its First Steps Into Non-Endemic Advertising, Retail Media’s Next Frontier

Albertsons is taking that first step into non-endemic advertising next week via a partnership with Rokt to serve ads to people who have already purchased groceries.

Marketecture Buys AdTechGod (No, Really)

Marketecture has acquired AdTechGod – an anonymous ad tech Twitter poster turned one-man content studio – and the AdTech Forum, an information resource hosted by AdTechGod and Jeremy Bloom.

Why The False Advertising Lawsuit Against Poppi Is Bad News For RMNs

This week’s dispatch explores the new trend of false advertising class-action suits in the food and CPG industry and how the evolution of online, data-driven retail media could exacerbate the problem.