The Wyndham case has been top of mind for many in the privacy, security and legal communities. In full disclosure OTA has publically supported the FTC’s position of having regulatory oversight on data security. That said it is important to understand there is no perfect security and we need to be careful to not “victimize the victim”. We appreciate Wyndham’s position on this point, BUT only in the case that a company can demonstrate they HAVE adopted REASONABLE security and privacy enhancing best practices. The crux of the case was Wyndham claimed that the FTC failed to provide businesses with “fair notice” concerning which data security practices it regards as “unfair” under Section 5 of the FTC Act.
The court provided details on the allegations against Wyndham including: allowing hotels to store credit card data in plaintext, using easy-to-guess passwords, failing to implement firewalls and other rudimentary data security tools, allowing third parties to connect to the network without authentication, failing to deploy reasonable measures to detect and respond to cyber-attacks. The Wyndham case is important in the FTC’s emergence as the United States top privacy and data security regulator. Affirming the FTC’s authority, the court’s decision could usher in a period of heightened enforcement activity, but most importantly send a strong message that every business MUST take steps to HELP protect the data they collect and hold.
As OTA audits nearly 1,000 sites annually we continually are amazed about the language and length of privacy policies. Perhaps even more troubling is that executives, privacy professionals (and political candidates) are out of touch and often unaware of the context or connotations, focusing on the needs of the company rather than the customer that pays their salaries.
As we look to the promise of IoT devices and solutions and the escalating threats of malvertising, we need to learn from these missteps and make security and privacy part of our brand promise. Wyndham and Spotify should serve as “teachable moments” for us all to help achieve and enhance online trust.