News Feature | September 8, 2015

FTC Lawsuit To Move Forward Indicating Power To Monitor Cybersecurity

Christine Kern

By Christine Kern, contributing writer

Judge With Gavel

FTC- Wyndham Worldwide case could have significant implications for healthcare cybersecurity.

In a three to one decision, a Federal Appeals Court has ruled the Federal Trade Commission lawsuit against Wyndham Worldwide Corp can move forward, arguing the Federal Trade Commission does have the power to regulate corporate cybersecurity.

The lawsuit accuses the hotel operator of failing to safeguard consumers’ information. The FTC suit was filed to hold Wyndham responsible for three separate data breaches in 2008 and 2009, which allowed hackers to access credit card information and other guest details from more than 619,000 consumers resulting in more than $10.6 million in fraudulent charges.

Wyndham continued to maintain that “the FTC’s allegations are unfounded,” according to company spokesman Michael Valentino.

In response to the Appeals Court decision, FTC Chairwoman Edith Ramirez stated, “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

But the decision to allow the Wyndham case to move forward has implications that transcend the corporate world. It could potentially affect the world of healthcare as well, particularly in light of the string of significant healthcare data breaches. From the Anthem cyberattack earlier this year that exposed the personal information of as many as 80 million members to the Premera Blue Cross breach that impacted 11 million customers, healthcare data security has captured the headlines recently.

Healthcare breaches also are unique in that they involve the Health Insurance Portability and Accountability Act (HIPAA) which aims to protect patient privacy. Lisa Clark, partner at Duane Morris in Philadelphia, told Modern Healthcare, “In healthcare we do have the advantage that HIPAA gives some more guidance than the FTC does. FTC is just interpreting a statute whereas HIPAA is a law and a set of complex regulations, and HHS has given a lot of advice and guidance on how to comply with HIPAA.”

But while the FTC doesn’t currently involve itself in many healthcare breaches, Clark explained, it could do so in the future. “It seems that this decision really validates the FTC in terms of its recent enforcement actions. IT’s been very active in this area and I think this just means for healthcare providers, on top of HIPA, they have to be that much more vigilant.”