White Collar/Data Breach Associate Abe Rein Discusses Third Circuit's FTC/Wyndham Data Breach Decision with TechBeacon
In an August 28 article for TechBeacon, Internal Investigations & White Collar Defense Associate Abraham J. Rein discussed the lessons learned from the Federal Trade Commission's (FTC) recent lawsuit against hotel management company, Wyndham Worldwide.
The article, "3 IT security lessons from FTC's Wyndham liability ruling," looks at the FTC's pursuit of Wyndham relating to a breach of their network that compromised customer credit and financial data. According to the FTC’s original complaint, Wyndham and the Wyndham-branded hotels to which the Wyndham name is licensed – whose property management systems link to Wyndham’s corporate network – suffered three intrusions into their computer networks between April 2008 and January 2010. In each case, hackers were allegedly able to access sensitive consumer data by compromising the Wyndham data center in Phoenix, Arizona. Ultimately, the breaches allegedly led to “fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”
An August 24 Third Circuit Court of Appeals ruling upheld the FTC's lawsuit against Wyndham in the case, and its "right to file civil complaints against businesses for failing to protect consumer information with adequate cybersecurity."
Mr. Rein, who is also a member of the Firm's Data Protection/Breach Practice and has written previously on the FTC's pursuit of Wyndham in the case, notes that the ruling should draw the attention of legal and IT professionals at companies. From the article:
"This case means that companies need to monitor FTC's enforcement actions and what the agency is concerned about. And those people need to be communicating. Someone on the legal side of the office needs to communicate regularly and continuously with the IT folks to make sure they are on top of things."
"Wyndham, in their offices, probably has very good cybersecurity practices, but they license with small hotels all over the world and they are being held responsible for the cybersecurity practices of those hotels. The case could determine that you are responsible for everyone who is accessing your network, if they are doing it with your blessing."