Following a series of cyber “hacks” of computer systems at Wyndham Worldwide Corporation, the FTC launched a legal battle against Wyndham and several of its subsidiaries which essentially seeks to hold Wyndham (not the actual hackers) responsible for the data breaches. In a series of crafty wordsmanship and hypothetical comparisons, Wyndham claimed in court papers that the suit is “the Internet equivalent of punishing the local furniture store because it was robbed and its files raided” while the FTC has responded that “Wyndham was a local furniture store that left copies of its customers’ credit and debit card information lying on the counter, failed to lock the doors of the store at night, and was shocked to find in the morning that someone had stolen the information.”
Although reality is almost certainly somewhere in between these two competing anecdotes, the very existence of this lawsuit begs the question of just how far this federal agency can stretch its consumer protection powers without crossing the boundary which separates its authority from that of Congress. Ultimately, the case is one which asks whether Wyndham took adequate steps to secure and protect its customers’ information. For now, that question is left to Judge Esther Salas of the U.S. District Court in Newark, NJ.
But the questions that should be asked are ones which identify (1) who gets to set the standard for corporate cybersecurity practices, and (2) who gets to determine when “standard” is no longer enough.