On October 5, the Chamber of Commerce of the United States of America, the Retail Litigation Center and the American Hotel & Lodging Association filed a brief in support of Wyndham’s motion to dismiss the Complaint (the “Amicus Brief”). The Amicus Brief argues that the FTC is “leveraging its enforcement authority to extract settlements from businesses that themselves have been victimized by data security breaches, and that have no formal notice of the standards that the FTC accuses them of violating.” The Amicus Brief further contends that the FTC “enforcement” is ad hoc, and gives “no advance notice to businesses on what they are required to do to comply with the law in a rapidly changing technological environment,” noting that what comprises a “reasonable” data security measure is ambiguous and ever-changing.
So what are reasonable data security measures? The FTC itself has stated that the data security measures it considers reasonable “will depend on the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information at issue.” In other words, it is nearly impossible to know if your data security is adequate until the FTC tells you it is inadequate. While data security has been a hallmark of compliance for healthcare providers and banks for more than a decade, the hospitality industry has not been subjected to the same regulatory framework. Nonetheless, there are a number of important guidelines that could be followed to lessen the possibility of a data breach, and lessen the possibility of ending up the target of an FTC investigation:
• Stay one step ahead. It is worth the up-front investment for IT professionals and attorneys to examine the type of data that is being stored to determine if the access to that data is being appropriately protected.
• If there is a breach, act quickly and decisively. In the Wyndham case, the FTC was particularly disturbed by the fact that there were three significant security breaches in less than two years, and Wyndham allegedly still failed to “remedy known security vulnerabilities.” Moreover, nearly every state has breach notification laws requiring hotel owners or operators to inform those individuals whose data was stolen of the breach.
• Ask your attorney and IT professional to work together to present you with a robust compliance plan, which is both proactive to prevent security breaches and reactive to outline a plan to best deal with those breaches if (or when) they occur.
Etan Mark is an attorney and certified fraud examiner at Berger Singerman. He can be reached at email@example.com or 305-714-4360.