In the case Federal Trade Commission v. Wyndham Worldwide Corporation, the court ruled in favor of the Federal Trade Commission’s (FTC) statutory authority to bring enforcement actions against companies for “unfair or deceptive acts or practices in or affecting commerce” under the FTC Act.
This decision upholds FTC’s authority to pursue enforcement actions against companies for failing to “reasonably protect” consumers’ information. This means that the FTC could potentially use the existence of a breach as proof that a company has not taken “reasonable” steps to protect consumer data. That’s in spite of the fact that the FTC has not defined a standard for reasonable protection.
In the case, Wyndham was the victim of three cyber attacks that resulted in millions of dollars in fraudulent charges using customers’ compromised financial information. The FTC sued Wyndham on the basis that it did not have sufficient data protections in place. That includes firewalls, encrypting credit card information, maintaining network inventory and addressing known vulnerabilities. They also stated that Wyndham’s privacy notice misrepresented the level of data security in place. Wyndham moved to dismiss the case, saying that the FTC did not have the authority under the FTC Act to regulate cybersecurity.
NMHC/NAA will continue to follow developments in this case. The decision could be appealed or reconsidered and the original case is pending in the lower court. NMHC/NAA will also be tracking FTC enforcement actions and watching for official guidance on the definition of reasonable data security.
In the meantime, multifamily owners and operators should put strong defenses in place to protect their company networks, data, and, ultimately, reputations.
Author: Julianne Goodfellow, National Multi Housing Council