Can The FTC Enforce Credit Card Data Protection? Federal Judge Will Have To Decide

Retailers have had to deal with the U.S. Federal Trade Commission's enforcement actions about their privacy policies for years. But last week a federal judge in New Jersey raised the possibility of scuttling FTC efforts in a new area: pushing retailers to keep payment data secure, according to Computerworld.

Last Wednesday (July 17) U.S. District Court Judge Esther Salas agreed to let the U.S. Chamber of Commerce and several trade groups seek dismissal of an FTC lawsuit against the Wyndham (NYSE:WYN) hotels chain. The complaint, filed in June 2012, says Wyndham deceived consumers about their credit and debit card information being safe. Wyndham suffered three successful attacks by cyberthieves on its Phoenix data center over an 18-month period—all using the same security hole, which Wyndham didn't fix after the first two breaches.

It's not illegal to handle that kind of information recklessly. But the FTC points to a statement on the hotel chain's website: "We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program." The FTC's argument: If Wyndham didn't live up to its data-protection promise, that's fraud.

It's basically the same argument the FTC uses when retailers fail to protect customers' other personal information after promising to do so in their published privacy policies. In its argument to the court, the U.S. Chamber of Commerce argues that the FTC hasn't officially established payment-data standards, so it has no basis to claim Wyndham fell down on the job.

But every retailer knows what the industry standard for payment cards is: the PCI Data Security Standard. And as much as retailers continue to fight against the ways Visa and MasterCard enforce PCI requirements with arbitrary penalties that are sometimes wildly out of proportion to actual damage demonstrably done by a breach, almost no one claims that firewalls, network segmentation and patching security holes are not industry-standard IT practices among retailers.

If the judge disagrees and concludes there is no industry standard, that may sink the FTC's case against Wyndham. But in any case, merchants may want to take another look at any "we protect your data" statements they make on websites or in-store signs. It looks like the FTC will be doing that too.

For more:

- See this Computerworld story
- See this Bloomberg story

Related stories:

FTC's New Mobile Ad Rules Could Impact Much More Than Ads
FTC To Retailers: If You're Collecting Customer Info, Say So Clearly
For The First Time, FTC Hits Hard Against Chain Breached Three Times