‘Banana Peel’ ruling trips up Wyndham in FTC battle over data security

Franchisors and privacy professionals have been closely watching a case in which Wyndham Hotels has challenged the authority of the Federal Trade Commission to regulate data security practices. While many doubted that the FTC would be stripped of its power as the great poobah of privacy enforcement in the United States, I was mildly hopeful that we might get some guidance as to what constitutes adequate data security.

Watch those banana peels! 

On Monday, a federal appellate court ruled against Wyndham and determined that the FTC does have authority to regulate corporate data security practices. The FTC may now continue its claim that Wyndham’s computer system “unreasonably and unnecessarily” exposed consumer personal data to unauthorized access.

This ruling will likely embolden the FTC to pursue similar claims against businesses that experience cyber-attacks and other data breaches. Talk about adding insult to injury.

Wyndham, already dealing with the aftermath of a data breach in which Russian hackers accessed credit card and other information from more than 619,000 consumers and ran up more than $10.6 million in fraudulent charges, must now also defend itself against the FTC.

Wyndham argued that the FTC failed to provide adequate notice as to exactly what is required to achieve adequate data security and suggested that to allow the FTC such authority was akin to allowing the FTC to regulate hotel room door locks or suing a supermarket that failed to sweep up banana peels.

In response, Judge Ambro wrote, “a supermarket leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.”

So sweep up those slippery banana peels and make sure that your computer systems are safe and secure from cyber-attacks.